The Shoreline Firewall, "more commonly known as 'Shorewall', is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files".
A problem has been reported in the Shorewall Firewall that enables a Client accepted by MAC-Filter to bypass any other rule.
MACLIST_TTL, the Parameter in Question, was introduced in Shorewall 2.2.0
Describtion of the Issue:
If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf (Default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a Client is Positivly Authenticated through his MAC Adress, he bypasses all other Policies/Rules in Place, thus gaining total access.
Workaround:
Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf, if you don't need it.
This Issue doesn't apply to any Shorewall Version before 2.2.0. Users of any Version before 2.2.5 are encouraged to updated to a newer version (at least 2.2.5, better 2.4.1) of Shorewall. Shorewall Version 2.0.x is still supported, but Users of 2.0.x are encouraged to upgrade to a newer version.
Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to updated to a version better than 2.2.5, as Shorewall 1.x is not any more supported and maintained.
