Fix ICMP problems in rc.firewall

Andreas Hauser andy at splashground.de
Thu Apr 21 11:52:15 PDT 2005


Hoi,

when your trusted_net, like in the default config, is a net that
is not routed then even the allowed ICMP types are dropped.
The attached patch fixes that.
But opens the possibility of using not routed nets for attacks
that e.g. use the IP ID to guess some stuff about the host
(e.g. to guess open ports).
But since any IP is usually good enough for this i don't think it
is a big regression, especially since we don't drop all nets that
aren't routed.

Also i would welcome a chmod +x etc/rc.firewall.

And then a RFC, shall i convert it to a rcng skript?

Any other feedback on rc.firewall is also welcome.


Index: etc/rc.firewall
===================================================================
RCS file: /home/dcvs/src/etc/rc.firewall,v
retrieving revision 1.4
diff -u -p -r1.4 rc.firewall
--- etc/rc.firewall	28 Feb 2005 01:42:57 -0000	1.4
+++ etc/rc.firewall	21 Apr 2005 18:38:12 -0000
@@ -190,8 +190,8 @@ case ${firewall_type} in
         allow_trusted_nets ${firewall_trusted_nets}
         allow_trusted_interfaces ${firewall_trusted_interfaces}
         allow_connections
-        deny_not_routed_nets
         allow_icmp_types ${firewall_allowed_icmp_types}
+        deny_not_routed_nets
         open_tcp_ports ${firewall_open_tcp_ports}
         open_udp_ports ${firewall_open_udp_ports}
         deny_rest





More information about the Submit mailing list