Bug 44038 - errors in ifup-post firewalling script
errors in ifup-post firewalling script
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
7.1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-10 00:58 EDT by seifried
Modified: 2014-03-16 22:21 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-08-09 01:12:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description seifried 2001-06-10 00:58:56 EDT
Description of Problem:

ifup-port inserts ipchains rules so that dns will "work". However these 
rules are very promiscuous and for UDP only. This presents two problems:

1) by not allowing tcp dns replies some people will experience "broken" 
DNS, i.e. large replies (sent as TCP data rather then UDP) will be blocked.

Solution: add rules for TCP

2) by using simplistic rules (destination 0.0.0.0 any port) it is now 
possible for someone to spoof the dns server and scan the Linux box or any 
machine the Linux box is supposed to be protecting if it is configured as 
a firewall. This means that there are a LOT of "protected" networks behind 
a Linux firewall that are not very well protected. The destination should 
be at least minimized to ports 1024 and up (reducing exposure of the Linux 
box and anything behind it) and ideally they should specify the IP address
(s) of the Linux box's interfaces only. 

How Reproducible:

N/A

Steps to Reproduce:

N/A 

Actual Results:

N/A

Expected Results:

N/A

Additional Information:
Comment 1 Pekka Savola 2001-07-22 15:22:57 EDT
Changing to initscripts component.

If your UDP scan src address is spoofed, you don't get any replies anyway (unless you do some special tricks like 
spoof the src to be something other in your LAN, and run tcpdump in promisc mode).  Also, the rules were justified
by the fact that if your DNS server is compromised, this is the least they can do.

Nonetheless, I agree that the rules should be stricter.
Comment 2 Bill Nottingham 2001-08-09 01:10:43 EDT
These rules are the same as any original rules created by the firewall tool, so
I'm probably not going to change them.
Comment 3 Bill Nottingham 2001-08-09 01:12:43 EDT
Actually, the sport will be changed in 6.13-1.

Note You need to log in before you can comment on or make changes to this bug.