On 6/5/11 11:03 AM, KP Kirchdoerfer wrote: > Hi Tom; > > Am Sonntag, 5. Juni 2011, um 18:32:28 schrieb Tom Eastep: >> 2) Network developers have discovered an exploit that allows hosts to >> poke holes in a firewall. The known ways to protect against the >> exploit are: >> >> a) rt_filter (Shorewall's routefilter). Only applicable to IPv4 >> and can't be used with some multi-ISP configurations. >> >> b) Insert a DROP rule that prevents hairpinning (routeback). The >> rule must be inserted before any ESTABLISHED,RELATED firewall >> rules. This approach is not appropriate for bridges and other >> cases, where the 'routeback' option is specified or implied. >> >> For non-routeback interfaces, Shorewall and Shorewall6 will insert >> a hairpin rule, provided that the routefilter option is not >> specified. The rule will dispose of hairpins according to the >> setting of two new options in shorewall.conf and shorewall6.conf: >> >> SFILTER_LOG_LEVEL >> Specifies the logging level; default is 'info'. To omit >> logging, specify FILTER_LOG_LEVEL=none. >> >> >> SFILTER_DISPOSITION >> Specifies the disposition. Default is DROP and the possible >> values are DROP, A_DROP, REJECT and A_REJECT. >> >> To deal with bridges and other routeback interfaces , there is now >> an 'sfilter' option in /shorewall/interfaces and >> /etc/shorewall6/interfaces. >> >> The value of the 'sfilter' option is a list of network addresses >> enclosed in in parentheses. Where only a single address is listed, >> the parentheses may be omitted. When a packet from a >> source-filtered address is received on the interface, it is >> disposed of based on the new SFILTER_ options described above. >> >> For a bridge or other routeback interface, you should list all of >> your other local networks (those networks not attached to the >> bridge) in the bridge's sfilter list. > > I'm a bit puzzled. > > Can you provide a link to a more in-depth description?
The details have not yet been made public. > Does that mean all shorewall versions <= 4.4.19 are affected? Only those who don't specify 'routefilter' on their interfaces. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
