|
|
|
|
| |
The Shoreline Firewall, "more commonly known as 'Shorewall', is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files".
A problem has been reported in the Shorewall Firewall that enables a Client accepted by MAC-Filter to bypass any other rule. |
| |
Credit:
The information has been provided by Patrick Blitz.
The original article can be found at: http://shorewall.net/News.htm#20050717
|
| |
MACLIST_TTL, the Parameter in Question, was introduced in Shorewall 2.2.0
Describtion of the Issue:
If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf (Default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a Client is Positivly Authenticated through his MAC Adress, he bypasses all other Policies/Rules in Place, thus gaining total access.
Workaround:
Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf, if you don't need it.
Update:
For 2.4.x, the fixed Version is available at:
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall
For 2.2.x, the fixed Version is available at:
http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall
This Issue doesn't apply to any Shorewall Version before 2.2.0. Users of any Version before 2.2.5 are encouraged to updated to a newer version (at least 2.2.5, better 2.4.1) of Shorewall. Shorewall Version 2.0.x is still supported, but Users of 2.0.x are encouraged to upgrade to a newer version.
Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to updated to a version better than 2.2.5, as Shorewall 1.x is not any more supported and maintained.
|
|
|
|
|
