Bug 847707 - firewalld: needs source address validation
firewalld: needs source address validation
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: Security
Depends On: 847757
Blocks: 847708 1045104
  Show dependency treegraph
Reported: 2012-08-13 06:08 EDT by Florian Weimer
Modified: 2014-04-03 09:07 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1045104 (view as bug list)
Last Closed: 2014-04-03 09:07:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2012-08-13 06:08:19 EDT
ESTABLISHED/RELATED rules match packets irrespective of the interface they arrive on.  This means that without rp_filter=1, connected devices can inject traffic into existing flows and send packets to services to which they would not ordinarily have access.  Only rp_filter=1 prevents that, rp_filter=2 (loose uRPF) is not sufficient.

As far as I can tell, the default configuration sets rp_filter=1 on IPv4 interfaces, so this is just additional hardening for IPv4.  A sanity check in firewalld for the rp_filter setting might therefore be sufficient.

Not sure about IPv6, I couldn't find an equivalent to rp_filter there, so this might be an actual loophole there.
Comment 1 Florian Weimer 2012-08-14 09:19:19 EDT
Linux 3.3 introduced the rpfilter match type (for the raw and mangle chains).  This can be used to implement filtering for IPv6.  In userspace, iptables version version 1.4.14 is required.
Comment 2 Jaroslav Reznik 2013-04-05 08:24:41 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
Comment 4 Thomas Woerner 2014-01-13 09:48:42 EST
Enable IPv6_rpfilter by default: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=a1a48ea3a2fc9f3174c814540cbf28b6a2105a7c

Note You need to log in before you can comment on or make changes to this bug.