Shorewall MACLIST Rules-Override Problem ------------------------------------ Release Date: 17.07.05 Severity: High Affected Version: Shorewall 2.2.x and 2.4.x ------------------------------------ Synopsis: A Problem has been reported in the Shorewall Firewall (http://shorewall.net) that enables a Client accepted by MAC-Filter to bypass any other rule. ----------------------------------- About Shorewall: The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. (Take from http://www.shorewall.net) MACLIST_TTL, the Parameter in Question, was introduced in Shorewall 2.2.0 ------------------------------------ Describtion of the Issue: If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf (Default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a Client is Positivly Authenticated through his MAC Adress, he bypasses all other Policies/Rules in Place, thus gaining total access. ------------------------------------ Fix: Workaround: Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf, if you don't need it. Update: For 2.4.x, the fixed Version is available at: http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall For 2.2.x, the fixed Version is available at: http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall This Issue doesn't apply to any Shorewall Version before 2.2.0. Users of any Version before 2.2.5 are encouraged to updated to a newer Version (at least 2.2.5, better 2.4.1) of Shorewall. Shorewall Version 2.0.x is still supported, but Users of 2.0.x are encouraged to upgrade to a newer version. Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to updated to a version better than 2.2.5, as Shorewall 1.x is not any more supported and maintained. ----------------------------------- Info: Timeline: Report: 17.07.05 Confirmation: 17.07.05 Fix: 17.07.05 Disclosure: 17.07.06 Thanks to Supernaut for Reporting this to us, and to Tom for fixing it that quick ------------------------------------ The Shorewall Team --
Attachment:
signature.asc
Description: This is a digitally signed message part