Control: severity -1 grave Control: tags -1 patch On Mi 25 Feb 2015 20:44:36 CET, Jeffrey Sheinberg wrote:
On Wed, Feb 25, 2015 at 04:30:34AM +0000, Mike Gabriel wrote:Control: tag -1 moreinfo HI Jeffreay,...thanks for using/testig UIF. Can you please send what sudo iptables -L prints to stdout if you have a default firewall configuration as described above?... Hi Mike, I have attached these three files to this email, 1. Output of iptables -L (iptables-L.uif). 2. The uif.conf in use when 1. was run (uif.conf). 3. Output of iptables -L (iptables-L.ufw), when running ufw for comparison. Note that ufw does not respond to ping from external host, unlike uif. Thanks,
The issue goes actually deeper than I first thought. Thus, rasing severity to grave, as there is a big flaw in the IPV4/IPV6 only code of uif.
Basically, the problem is that if using "+" rules for IPV4-only, e.g. in+ s=trusted(4) p=<service> in-will allow <service> connects from the trusted IPv4 network, deny <service> connects from everywhere else.
BUT: when parsing this rule for IPv6, the s=trusted(4) gets ignored completely, but the p=<service> gets processed as if the s=trusted(4) was not there at all, thus allowing incoming connects for p=<service> from all IPv6 addresses.
@Jeffrey: The attached patch should close this immense security whole, thanks for bringing it up!!!
I'd appreciate if you could test this patch (apply it to /usr/sbin/uif on your test system).
Thanks, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
diff --git a/uif.pl b/uif.pl index 869dcae..6a386cb 100755 --- a/uif.pl +++ b/uif.pl @@ -563,9 +563,11 @@ sub validateData { $position =~ s/\((.+)\)$//; if (($ipv6) && ($only_proto eq "4")) { print "IPv6 setup: Skipping IPv4-only rule for network \"$position\"\n"; + $$rule{'Type'} = 'IGNORE-IPV4-ONLY'; next; } elsif ((! $ipv6) && ($only_proto eq "6")) { print "IPv4 setup: Skipping IPv6-only rule for network \"$position\"\n"; + $$rule{'Type'} = 'IGNORE-IPV6-ONLY'; next; } } @@ -960,6 +962,13 @@ sub genRuleDump { my $chains; foreach $rule (@$Rules) { + + if ( ($ipv6) && ($$rule{'Type'} eq "IGNORE-IPV4-ONLY") ) { + next; + } elsif ( (!$ipv6) && ($$rule{'Type'} eq "IGNORE-IPV6-ONLY") ) { + next; + } + my @protocol; my @source; my @destination;
pgpZz_1GdJE56.pgp
Description: Digitale PGP-Signatur