Mailinglist Archive: opensuse-security (97 mails)
| < Previous | Next > |
[Fwd: WARNING: Firewall package - security hole?]
- From: Ralph Clark <rclark@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 Oct 1999 01:23:35 +0100
- Message-id: <38027F87.E849173@xxxxxxxxxxxxxxxxxxxxxxxxxx>
I posted the following security warning on the suse-linux-e list earlier today and
someone sensibly suggested I forward it to this list. More later....
Ralph Clark wrote:
> Gentlemen,
>
> I am a grateful user of your firewall-2.2-12.rpm package on SuSE Linux 6.1,
> which uses ipchains. However I think I may have identified a security hole. It's
> rather obvious, so feel free to shoot me down in flames if either I'm doing
> something daft or if this was identified and resolved already.
>
> The problem seems to lie in the fact that I have ppp support compiled directly
> into my 2.2.12 kernel instead of as a loadable module, but perhaps someone else
> can check for us if the same problem occurs with the loadable module version.
>
> The /sbin/init.d/firewall script included in the package, which is run at boot
> time, tries to send a message to the external network interface ppp0 to tell the
> kernel to defeat spoofed IP addresses coming through that interface. It does
> this by writing a "2" into the file "/proc/sys/net/ipv4/conf/ppp0/rp_filter".
>
> However, at the time the boot process runs this script, the ppp0 interface has
> not yet been initialised. As a consequence, there is no entry in
> /proc/sys/net/ipv4/conf for this device and so the message does not get sent to
> the kernel.
>
> This means that anybody using this package as it is shipped will not be
> protected against spoofed packet headers coming in through their modem link.
>
> Apart from that ipchains and this firewall package are just the bee's knees.
>
> I'm going to try getting my connect script to write this message immediately
> after ppp has been started at the remote end but I'm not sure if the rp_filter
> file will available yet, and in any case the spoofing protection really needs to
> be enabled BEFORE the ppp device starts accepting packets from the modem.
>
> I'd be grateful if anyone could tell me whether this issue has any known
> resolution.
>
> --
> rclark@xxxxxxxxxxxxxxxxxxxxxxxxxx Ralph Clark, Virgo Solutions Ltd (UK)
> __ _
> / / (_)__ __ ____ __ * Powerful * Flexible * Compatible * Reliable *
> / /__/ / _ \/ // /\ \/ / *Well Supported * Thousands of New Users Every Day*
> /____/_/_//_/\_,_/ /_/\_\ The Cost Effective Choice - Linux Means Business!
--
rclark@xxxxxxxxxxxxxxxxxxxxxxxxxx Ralph Clark, Virgo Solutions Ltd (UK)
__ _
/ / (_)__ __ ____ __ * Powerful * Flexible * Compatible * Reliable *
/ /__/ / _ \/ // /\ \/ / *Well Supported * Thousands of New Users Every Day*
/____/_/_//_/\_,_/ /_/\_\ The Cost Effective Choice - Linux Means Business!
someone sensibly suggested I forward it to this list. More later....
Ralph Clark wrote:
> Gentlemen,
>
> I am a grateful user of your firewall-2.2-12.rpm package on SuSE Linux 6.1,
> which uses ipchains. However I think I may have identified a security hole. It's
> rather obvious, so feel free to shoot me down in flames if either I'm doing
> something daft or if this was identified and resolved already.
>
> The problem seems to lie in the fact that I have ppp support compiled directly
> into my 2.2.12 kernel instead of as a loadable module, but perhaps someone else
> can check for us if the same problem occurs with the loadable module version.
>
> The /sbin/init.d/firewall script included in the package, which is run at boot
> time, tries to send a message to the external network interface ppp0 to tell the
> kernel to defeat spoofed IP addresses coming through that interface. It does
> this by writing a "2" into the file "/proc/sys/net/ipv4/conf/ppp0/rp_filter".
>
> However, at the time the boot process runs this script, the ppp0 interface has
> not yet been initialised. As a consequence, there is no entry in
> /proc/sys/net/ipv4/conf for this device and so the message does not get sent to
> the kernel.
>
> This means that anybody using this package as it is shipped will not be
> protected against spoofed packet headers coming in through their modem link.
>
> Apart from that ipchains and this firewall package are just the bee's knees.
>
> I'm going to try getting my connect script to write this message immediately
> after ppp has been started at the remote end but I'm not sure if the rp_filter
> file will available yet, and in any case the spoofing protection really needs to
> be enabled BEFORE the ppp device starts accepting packets from the modem.
>
> I'd be grateful if anyone could tell me whether this issue has any known
> resolution.
>
> --
> rclark@xxxxxxxxxxxxxxxxxxxxxxxxxx Ralph Clark, Virgo Solutions Ltd (UK)
> __ _
> / / (_)__ __ ____ __ * Powerful * Flexible * Compatible * Reliable *
> / /__/ / _ \/ // /\ \/ / *Well Supported * Thousands of New Users Every Day*
> /____/_/_//_/\_,_/ /_/\_\ The Cost Effective Choice - Linux Means Business!
--
rclark@xxxxxxxxxxxxxxxxxxxxxxxxxx Ralph Clark, Virgo Solutions Ltd (UK)
__ _
/ / (_)__ __ ____ __ * Powerful * Flexible * Compatible * Reliable *
/ /__/ / _ \/ // /\ \/ / *Well Supported * Thousands of New Users Every Day*
/____/_/_//_/\_,_/ /_/\_\ The Cost Effective Choice - Linux Means Business!
| < Previous | Next > |