Red Hat Bugzilla – Bug 847707
firewalld: needs source address validation
Last modified: 2014-04-03 09:07:34 EDT
ESTABLISHED/RELATED rules match packets irrespective of the interface they arrive on. This means that without rp_filter=1, connected devices can inject traffic into existing flows and send packets to services to which they would not ordinarily have access. Only rp_filter=1 prevents that, rp_filter=2 (loose uRPF) is not sufficient.
As far as I can tell, the default configuration sets rp_filter=1 on IPv4 interfaces, so this is just additional hardening for IPv4. A sanity check in firewalld for the rp_filter setting might therefore be sufficient.
Not sure about IPv6, I couldn't find an equivalent to rp_filter there, so this might be an actual loophole there.
Linux 3.3 introduced the rpfilter match type (for the raw and mangle chains). This can be used to implement filtering for IPv6. In userspace, iptables version version 1.4.14 is required.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
Fixed in GIT: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=910491b15367e188ae5e3a3a73f9b7f2d92e8fee
Enable IPv6_rpfilter by default: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=a1a48ea3a2fc9f3174c814540cbf28b6a2105a7c