Shorewall MACLIST Problem

From: Patrick Blitz (blitz_at_post891.org)
Date: 07/18/05

  • Next message: John Richard Moser: "Re: Installation of software, and security. . ."
    To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
    Date: Mon, 18 Jul 2005 01:24:25 +0200
    
    
    

    Shorewall MACLIST Rules-Override Problem
    ------------------------------------
    Release Date: 17.07.05
    Severity: High
    Affected Version: Shorewall 2.2.x and 2.4.x
    ------------------------------------
    Synopsis:
    A Problem has been reported in the Shorewall Firewall
    (http://shorewall.net) that enables a Client accepted by MAC-Filter to
    bypass any other rule.

    -----------------------------------
    About Shorewall:

    The Shoreline Firewall, more commonly known as "Shorewall", is a
    high-level tool for configuring Netfilter. You describe your
    firewall/gateway requirements using entries in a set of configuration
    files. Shorewall reads those configuration files and with the help of
    the iptables utility, Shorewall configures Netfilter to match your
    requirements. Shorewall can be used on a dedicated firewall system, a
    multi-function gateway/router/server or on a standalone GNU/Linux
    system.
    (Take from http://www.shorewall.net)

    MACLIST_TTL, the Parameter in Question, was introduced in Shorewall
    2.2.0
    ------------------------------------

    Describtion of the Issue:

    If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION
    is set to "ACCEPT" in /etc/shorewall/shorewall.conf
    (Default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a Client
    is Positivly Authenticated through his MAC Adress, he bypasses all other
    Policies/Rules in Place, thus gaining total access.

    ------------------------------------
    Fix:

    Workaround:
    Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT
    in /etc/shorewall/shorewall.conf, if you don't need it.
    Update:
    For 2.4.x, the fixed Version is available at:
    http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall

    For 2.2.x, the fixed Version is available at:
    http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall

    This Issue doesn't apply to any Shorewall Version before 2.2.0.
    Users of any Version before 2.2.5 are encouraged to updated to a newer
    Version (at least 2.2.5, better 2.4.1) of Shorewall.
    Shorewall Version 2.0.x is still supported, but Users of 2.0.x are
    encouraged to upgrade to a newer version.
    Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to
    updated to a version better than 2.2.5, as Shorewall 1.x is not any more
    supported and maintained.

    -----------------------------------
    Info:
    Timeline:
    Report: 17.07.05
    Confirmation: 17.07.05
    Fix: 17.07.05
    Disclosure: 17.07.06

    Thanks to Supernaut for Reporting this to us,
    and to Tom for fixing it that quick
    ------------------------------------

    The Shorewall Team

    -- 
    
    



  • Next message: John Richard Moser: "Re: Installation of software, and security. . ."

    Relevant Pages

    • Re: Mandrake 10, gateway/firewall setup HOWTO?
      ... Go into the Mandrake Control Center under security, firewall ... I would load webmin to allow you to play with the shorewall firewall files. ... I assume you have loaded your /etc/hosts file with LAN definitions. ...
      (comp.os.linux.networking)
    • cant take it anymore: samba/firewall
      ... I barely qualify as a networking noob so it's ... win98 guest can print via samba just fine... ... Shorewall is set up perfectly for what I need so long as I don't want to ... If I shut the firewall off I don't ...
      (comp.os.linux.networking)
    • [Full-disclosure] [SECURITY] [DSA 849-1] New shorewall packages fix firewall bypass
      ... "Supernaut" noticed that shorewall, the Shoreline Firewall, could ... If you are using the apt-get package manager, ... Debian GNU/Linux 3.1 alias sarge ...
      (Full-Disclosure)
    • [SECURITY] [DSA 849-1] New shorewall packages fix firewall bypass
      ... "Supernaut" noticed that shorewall, the Shoreline Firewall, could ... If you are using the apt-get package manager, ... Debian GNU/Linux 3.1 alias sarge ...
      (Bugtraq)
    • Re: cant take it anymore: samba/firewall
      ... >> Well, all the rest of Your post was referring to some shorewall setup, ... > I got the firewall problem figured out so I can now run with the firewall ... > according to the rules it appears the ports are only supposed to be open ... > Is there some way to addr eth0 because shorewall could use its hardware ...
      (comp.os.linux.networking)