oss-security - Re: Attack on badly configured Netfilter-based firewalls

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Sat, 25 Feb 2012 21:10:36 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Attack on badly configured Netfilter-based
 firewalls

On sam., 2012-02-25 at 19:37 +0100, Eric Leblond wrote:
> Impact:
> An attacker on a local network can open some pinholes in a firewall
> which is not correctly protected.
> Fix:
> None, the issue has to be fixed in the firewall configuration.
> Workaround:
> Apply a strict anti-spoofing policy for IPv4 and IPv6 as described in
> the document "Secure use of iptables and connection tracking helpers" 
> This document was written after private disclosure of the attack to the
> Netfilter's team.
> 

Did you check how the various frontends to iptables (ferm, ufw,
shorewall and the gazillon others)? They might generate an “insecure”
ruleset and might be candidate to a fix.

Regards,
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.