[Bug 839292] New: default behavior of iptables rules generator creates security hole
https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c0 Summary: default behavior of iptables rules generator creates security hole Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86 OS/Version: openSUSE 12.3 Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: alien.www@gmx.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=556542) --> (http://bugzilla.novell.com/attachment.cgi?id=556542) real life flood User-Agent: Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 By default, /usr/sbin/SuSEfirewall2 script installs unconfigurable rule "-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT" (in function allow_basic_established ). I'm running SIP server and have connection rate limit in my FW setup, but I can't place anything before that default accepting rule or change it. This leads to situation, when SIP flood get accepted (and eats all of my bandwidth) since it considered "established" (has packets in both directions). See example log. Reproducible: Always Steps to Reproduce: 1. set up a SIP server 2. place any connection rate limit rules in SuseFirewall 3. register-flood your server from outside Actual Results: SIP flood pass through SuseFirewall Expected Results: SIP traffic should hit my rate limiting rule -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c
Ye Yuan
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c
Alberto Planas Dominguez
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c2
Alien A
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c3
--- Comment #3 from Alien A
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c4
--- Comment #4 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c5
--- Comment #5 from Alien A
the udp parts might be default in the ESTABLISHED chain., but if it is a different session i wonder why they are marked ESTABLISHED at all.
My server initially responds with "403 Forbidden" or something similar. That marks connection as "established" and allows further packets from that source to be accepted by FW, I suppose. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=839292
https://bugzilla.novell.com/show_bug.cgi?id=839292#c6
--- Comment #6 from Marcus Meissner
participants (1)
-
bugzilla_noreply@novell.com