Control: severity -1 grave Control: tags -1 patch On Mi 25 Feb 2015 20:44:36 CET, Jeffrey Sheinberg wrote:
On Wed, Feb 25, 2015 at 04:30:34AM +0000, Mike Gabriel wrote:Control: tag -1 moreinfo HI Jeffreay,...thanks for using/testig UIF. Can you please send what sudo iptables -L prints to stdout if you have a default firewall configuration as described above?... Hi Mike, I have attached these three files to this email, 1. Output of iptables -L (iptables-L.uif). 2. The uif.conf in use when 1. was run (uif.conf). 3. Output of iptables -L (iptables-L.ufw), when running ufw for comparison. Note that ufw does not respond to ping from external host, unlike uif. Thanks,
The issue goes actually deeper than I first thought. Thus, rasing severity to grave, as there is a big flaw in the IPV4/IPV6 only code of uif.
Basically, the problem is that if using "+" rules for IPV4-only, e.g. in+ s=trusted(4) p=<service> in-will allow <service> connects from the trusted IPv4 network, deny <service> connects from everywhere else.
BUT: when parsing this rule for IPv6, the s=trusted(4) gets ignored completely, but the p=<service> gets processed as if the s=trusted(4) was not there at all, thus allowing incoming connects for p=<service> from all IPv6 addresses.
@Jeffrey: The attached patch should close this immense security whole, thanks for bringing it up!!!
I'd appreciate if you could test this patch (apply it to /usr/sbin/uif on your test system).
Thanks, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
diff --git a/uif.pl b/uif.pl
index 869dcae..6a386cb 100755
--- a/uif.pl
+++ b/uif.pl
@@ -563,9 +563,11 @@ sub validateData {
$position =~ s/\((.+)\)$//;
if (($ipv6) && ($only_proto eq
"4")) {
print "IPv6 setup:
Skipping IPv4-only rule for network \"$position\"\n";
+ $$rule{'Type'} =
'IGNORE-IPV4-ONLY';
next;
} elsif ((! $ipv6) &&
($only_proto eq "6")) {
print "IPv4 setup:
Skipping IPv6-only rule for network \"$position\"\n";
+ $$rule{'Type'} =
'IGNORE-IPV6-ONLY';
next;
}
}
@@ -960,6 +962,13 @@ sub genRuleDump {
my $chains;
foreach $rule (@$Rules) {
+
+ if ( ($ipv6) && ($$rule{'Type'} eq "IGNORE-IPV4-ONLY") ) {
+ next;
+ } elsif ( (!$ipv6) && ($$rule{'Type'} eq "IGNORE-IPV6-ONLY") ) {
+ next;
+ }
+
my @protocol;
my @source;
my @destination;
pgpZz_1GdJE56.pgp
Description: Digitale PGP-Signatur
