[Bug 839292] New: default behavior of iptables rules generator creates security hole
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c0 Summary: default behavior of iptables rules generator creates security hole Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86 OS/Version: openSUSE 12.3 Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: alien.www@gmx.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=556542) --> (http://bugzilla.novell.com/attachment.cgi?id=556542) real life flood User-Agent: Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 By default, /usr/sbin/SuSEfirewall2 script installs unconfigurable rule "-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT" (in function allow_basic_established ). I'm running SIP server and have connection rate limit in my FW setup, but I can't place anything before that default accepting rule or change it. This leads to situation, when SIP flood get accepted (and eats all of my bandwidth) since it considered "established" (has packets in both directions). See example log. Reproducible: Always Steps to Reproduce: 1. set up a SIP server 2. place any connection rate limit rules in SuseFirewall 3. register-flood your server from outside Actual Results: SIP flood pass through SuseFirewall Expected Results: SIP traffic should hit my rate limiting rule -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c Ye Yuan <yyuan@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |yyuan@suse.com AssignedTo|bnc-team-screening@forge.pr |meissner@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| | GOLD -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |alien.www@gmx.com --- Comment #1 from Marcus Meissner <meissner@suse.com> 2013-09-27 09:34:55 UTC --- how do you try to insert your rule? how does it look like=? It should be possible via the custom rules support. FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" instead of -A INPUT to append your rule at the end, you can use -I INPUT 0 to add it at the beginning. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c2 Alien A <alien.www@gmx.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|alien.www@gmx.com | --- Comment #2 from Alien A <alien.www@gmx.com> 2013-09-27 13:38:23 UTC --- First I was trying to do it with FW_SERVICES_ACCEPT_EXT Then I decided to make my own rules and place them in SuSEfirewall2-custom (in fw_custom_before_port_handling()). But often flooder was able to bypass it. My debug showed that it was accepted by default "--ctstate ESTABLISHED -j ACCEPT" rule. For now I found workaround to delete that rule and add my own with exception: iptables -D INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED ! --ctorigdstport 5060:5061 -j ACCEPT It works, but I think it would be nice to have option(s) in /etc/sysconfig/SuSEfirewall2 to change or disable that "--ctstate ESTABLISHED -j ACCEPT" By default, any "established" traffic get accepted without any further flood control. That can affect any service, not only ּSIP. I'll attach my whole SuSEfirewall2-custom file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c3 --- Comment #3 from Alien A <alien.www@gmx.com> 2013-09-27 13:39:20 UTC --- Created an attachment (id=560567) --> (http://bugzilla.novell.com/attachment.cgi?id=560567) my SuSEfirewall2-custom -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #560567|application/octet-stream |text/plain mime type| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c4 --- Comment #4 from Marcus Meissner <meissner@suse.com> 2013-09-27 15:42:12 UTC --- the tcp attempts should not be default ESTABLISHED I suspect and could be handled similar to the ssh recent the udp parts might be default in the ESTABLISHED chain., but if it is a different session i wonder why they are marked ESTABLISHED at all. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c5 --- Comment #5 from Alien A <alien.www@gmx.com> 2013-09-27 16:36:30 UTC --- (In reply to comment #4)
the udp parts might be default in the ESTABLISHED chain., but if it is a different session i wonder why they are marked ESTABLISHED at all.
My server initially responds with "403 Forbidden" or something similar. That marks connection as "established" and allows further packets from that source to be accepted by FW, I suppose. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> 2013-11-04 13:21:03 UTC --- Does using the SIP connection tracking module help perhaps? How did you open the port to the outside? add to the FW_LOAD_MODULES line: FW_LOAD_MODULES="nf_conntrack_netbios_ns nf_conntrack_sip" That one parses the packets flowing in and out and might managed the ESTABLISHED rule better. (But this is just guessing, i am bit in over my head here) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com