Florian Weimer wrote:
> As far as I understand it, from the perspective of the security team,
> it is not clear if the upstream change breaks existing user
> configurations. Users might rely on the current behavior and use it
> to deliberately weaken the filter policy. This is a reasonable
> question because the existing documentation is quite unclear about
> what MAC filters actually do.
>
> There are actually two behavioral changes we are talking about.
>
> The MACLIST_DISPOSITION=ACCEPT case is the easy one. If the user has
> activated this option, all hosts listed in the "maclist" configuration
> file are still filtered as desired. However, packets from any host
> whose MAC address is NOT listed there are accepted (and forwarded) by
> the firewall. (As far as I can see, this is not what has been
> described before, but I've checked that this is really the case.)
> This means that this behavior is virtually useless, and it is
> extremely unlikely that anyone uses it deliberately.
>
> The other case is MACLIST_TTL=nnn. This is a bit more complicated
> because the effect is restricted to hosts listet in "maclist" only.
> These hosts can bypass the remaining filter rules, so this might
> actually be useful in some scenarios, although it completely bypasses
> shorewall's zone concept. However, the MACLIST_TTL=nnn setting is
> documented as a performance optimization only ("The performance of
> configurations with a large numbers of entries in
> /etc/shorewall/maclist can be improved by setting the MACLIST_TTL
> variable."). Despite the ambiguity of the documentation, this makes
> it rather unlikely that users have discovered this behavior and use it
> deliberately to implement their filtering policy.
>
> I've also skimmed the shorewall-users mailing list, but couldn't find
> a complaint that the firewall behavior changed in an unanticipated way
> after the security upgrade.
So a summary would be to leave the package as it is in sarge, right?
Regards,
Joey
--
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
