Red Hat Bugzilla – Bug 44038
errors in ifup-post firewalling script
Last modified: 2014-03-16 22:21:09 EDT
Description of Problem: ifup-port inserts ipchains rules so that dns will "work". However these rules are very promiscuous and for UDP only. This presents two problems: 1) by not allowing tcp dns replies some people will experience "broken" DNS, i.e. large replies (sent as TCP data rather then UDP) will be blocked. Solution: add rules for TCP 2) by using simplistic rules (destination 0.0.0.0 any port) it is now possible for someone to spoof the dns server and scan the Linux box or any machine the Linux box is supposed to be protecting if it is configured as a firewall. This means that there are a LOT of "protected" networks behind a Linux firewall that are not very well protected. The destination should be at least minimized to ports 1024 and up (reducing exposure of the Linux box and anything behind it) and ideally they should specify the IP address (s) of the Linux box's interfaces only. How Reproducible: N/A Steps to Reproduce: N/A Actual Results: N/A Expected Results: N/A Additional Information:
Changing to initscripts component. If your UDP scan src address is spoofed, you don't get any replies anyway (unless you do some special tricks like spoof the src to be something other in your LAN, and run tcpdump in promisc mode). Also, the rules were justified by the fact that if your DNS server is compromised, this is the least they can do. Nonetheless, I agree that the rules should be stricter.
These rules are the same as any original rules created by the firewall tool, so I'm probably not going to change them.
Actually, the sport will be changed in 6.13-1.