Red Hat Bugzilla – Bug 44038
errors in ifup-post firewalling script
Last modified: 2014-03-16 22:21:09 EDT
Description of Problem:
ifup-port inserts ipchains rules so that dns will "work". However these
rules are very promiscuous and for UDP only. This presents two problems:
1) by not allowing tcp dns replies some people will experience "broken"
DNS, i.e. large replies (sent as TCP data rather then UDP) will be blocked.
Solution: add rules for TCP
2) by using simplistic rules (destination 0.0.0.0 any port) it is now
possible for someone to spoof the dns server and scan the Linux box or any
machine the Linux box is supposed to be protecting if it is configured as
a firewall. This means that there are a LOT of "protected" networks behind
a Linux firewall that are not very well protected. The destination should
be at least minimized to ports 1024 and up (reducing exposure of the Linux
box and anything behind it) and ideally they should specify the IP address
(s) of the Linux box's interfaces only.
Steps to Reproduce:
Changing to initscripts component.
If your UDP scan src address is spoofed, you don't get any replies anyway (unless you do some special tricks like
spoof the src to be something other in your LAN, and run tcpdump in promisc mode). Also, the rules were justified
by the fact that if your DNS server is compromised, this is the least they can do.
Nonetheless, I agree that the rules should be stricter.
These rules are the same as any original rules created by the firewall tool, so
I'm probably not going to change them.
Actually, the sport will be changed in 6.13-1.