Bug 847707 – firewalld: needs source address validation

Bug 847707 - firewalld: needs source address validation

Summary:	firewalld: needs source address validation

Status:	CLOSED ERRATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	firewalld (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Depends On:	847757
Blocks:	847708 1045104
	Show dependency tree / graph

Reported:	2012-08-13 06:08 EDT by Florian Weimer
Modified:	2014-04-03 09:07 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Clones:	1045104 (view as bug list)
Environment:
Last Closed:	2014-04-03 09:07:34 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Florian Weimer 2012-08-13 06:08:19 EDT

ESTABLISHED/RELATED rules match packets irrespective of the interface they arrive on.  This means that without rp_filter=1, connected devices can inject traffic into existing flows and send packets to services to which they would not ordinarily have access.  Only rp_filter=1 prevents that, rp_filter=2 (loose uRPF) is not sufficient.

As far as I can tell, the default configuration sets rp_filter=1 on IPv4 interfaces, so this is just additional hardening for IPv4.  A sanity check in firewalld for the rp_filter setting might therefore be sufficient.

Not sure about IPv6, I couldn't find an equivalent to rp_filter there, so this might be an actual loophole there.

Comment 1 Florian Weimer 2012-08-14 09:19:19 EDT

Linux 3.3 introduced the rpfilter match type (for the raw and mangle chains).  This can be used to implement filtering for IPv6.  In userspace, iptables version version 1.4.14 is required.

Comment 2 Jaroslav Reznik 2013-04-05 08:24:41 EDT

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 3 Thomas Woerner 2014-01-13 09:42:11 EST

Fixed in GIT: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=910491b15367e188ae5e3a3a73f9b7f2d92e8fee

Comment 4 Thomas Woerner 2014-01-13 09:48:42 EST

Enable IPv6_rpfilter by default: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=a1a48ea3a2fc9f3174c814540cbf28b6a2105a7c

Comment 5 Jiri Popelka 2014-04-03 09:07:34 EDT

https://admin.fedoraproject.org/updates/FEDORA-2014-0752/firewalld-0.3.9.3-1.fc19

Note You need to log in before you can comment on or make changes to this bug.