Shorewall users - Jul 2005 - Using MACLIST_TTL causes packets to skip loc2fw

Hi,

I am running a bridge on my local net (br0 [10.0.2.1] with an alias
br0:0 [10.0.2.2]) using MAC filtering and MACLIST_TTL=10 applied
in /etc/shorewall/shorewall.conf.  While testing the rule set, I noticed
that activating MACLIST_TTL causes packets to skip the loc2fw chain,
allowing packets that pass MAC filtering to access all ports on the
firewall.  This does not occur if MACLIST_TTL is not active.  I am using
shorewall version 2.4.1.

Here are the pertinent chains with MACLIST_TTL=10:

-A br0_fwd -m state --state INVALID,NEW -j dynamic
-A br0_fwd -m state --state NEW -j br0_mac
-A br0_fwd -o eth0 -j loc2net
-A br0_fwd -o br0 -j ACCEPT
-A br0_in -m state --state INVALID,NEW -j dynamic
-A br0_in -p udp -m udp --dport 67:68 -j ACCEPT
-A br0_in -m state --state NEW -j br0_mac
-A br0_in -j loc2fw
-A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j br0_rec
-A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev 
--physdev-in eth2 -j br0_rec
-A br0_mac -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev 
--physdev-in eth1 -j br0_rec
-A br0_mac -s 10.0.2.1 -d 10.0.2.7 -j RETURN
-A br0_mac -s 10.0.2.1 -d 255.255.255.255 -j RETURN
-A br0_mac -s 10.0.2.1 -d 224.0.0.0/240.0.0.0 -j RETURN
-A br0_mac -s 10.0.2.2 -d 10.0.2.7 -j RETURN
-A br0_mac -s 10.0.2.2 -d 255.255.255.255 -j RETURN
-A br0_mac -s 10.0.2.2 -d 224.0.0.0/240.0.0.0 -j RETURN
-A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level
6
-A br0_mac -j reject
-A br0_rec -m recent --update --name br0_mac --rsource -j ACCEPT
-A br0_rec -m recent --set --name br0_mac --rsource -j ACCEPT

Here are the chains without MACLIST_TTL:

-A br0_fwd -m state --state INVALID,NEW -j dynamic
-A br0_fwd -m state --state NEW -j br0_mac
-A br0_fwd -o eth0 -j loc2net
-A br0_fwd -o br0 -j ACCEPT
-A br0_in -m state --state INVALID,NEW -j dynamic
-A br0_in -p udp -m udp --dport 67:68 -j ACCEPT
-A br0_in -m state --state NEW -j br0_mac
-A br0_in -j loc2fw
-A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev 
--physdev-in eth2 -j RETURN
-A br0_mac -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev 
--physdev-in eth1 -j RETURN
-A br0_mac -s 10.0.2.1 -d 10.0.2.7 -j RETURN
-A br0_mac -s 10.0.2.1 -d 255.255.255.255 -j RETURN
-A br0_mac -s 10.0.2.1 -d 224.0.0.0/240.0.0.0 -j RETURN
-A br0_mac -s 10.0.2.2 -d 10.0.2.7 -j RETURN
-A br0_mac -s 10.0.2.2 -d 255.255.255.255 -j RETURN
-A br0_mac -s 10.0.2.2 -d 224.0.0.0/240.0.0.0 -j RETURN
-A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level
6
-A br0_mac -j reject

It would seem that after updating/setting the interface''s
"recent"
table, the packets shouldn''t be immediately accepted, but instead
returned to the br0_in chain to transverse loc2fw.  I''m not sure what
would be the best way to do this.  Should matches be made to "RETURN"
from br0_mac to br0_in and from there call br0_rec directly?  After
updating/setting the interface''s "recent" table in br0_rec,
the packets
could then "RETURN" to br0_in and move on to loc2fw.

Thanks for your help 
Neil



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Supernaut wrote:
> Hi,
>
> I am running a bridge on my local net (br0 [10.0.2.1] with an alias
> br0:0 [10.0.2.2]) using MAC filtering and MACLIST_TTL=10 applied
> in /etc/shorewall/shorewall.conf.  While testing the rule set, I noticed
> that activating MACLIST_TTL causes packets to skip the loc2fw chain,
> allowing packets that pass MAC filtering to access all ports on the
> firewall.  This does not occur if MACLIST_TTL is not active.  I am using
> shorewall version 2.4.1.
Try this patch.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote:
> Try this patch.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom.

Applied the patch:

-A br0_rec -m recent --update --name br0_mac --rsource -j RETURN
-A br0_rec -m recent --set --name br0_mac --rsource

I''m afraid it didn''t work.  After applying the patch, all MAC
verified
clients were denied access with a Shorewall:br0_mac:REJECT log entry.


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

On Sunday 17 July 2005 08:42, Tom Eastep wrote:
>
> Try this patch.
>
This patch is broken too :-(

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sunday 17 July 2005 09:19, Supernaut wrote:
> On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote:
> > Try this patch.
> >
> > -Tom
> > --
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
> Thanks Tom.
>
> Applied the patch:
>
> -A br0_rec -m recent --update --name br0_mac --rsource -j RETURN
> -A br0_rec -m recent --set --name br0_mac --rsource
>
Yep -- I just sent out a message before your post arrived.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sunday 17 July 2005 09:19, Supernaut wrote:
> On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote:
> > Try this patch.
> >
> > -Tom
> > --
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
> Thanks Tom.
>
> Applied the patch:
>
> -A br0_rec -m recent --update --name br0_mac --rsource -j RETURN
> -A br0_rec -m recent --set --name br0_mac --rsource
>
> I''m afraid it didn''t work.  After applying the patch, all
MAC verified
> clients were denied access with a Shorewall:br0_mac:REJECT log entry.
>
Here''s a patch against 2.4.1 that should fix this -- please let me
know.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi Tom,

Sorry for the late reply. Patch works great!  Thanks again.

Neil

-A br0_fwd -m state --state INVALID,NEW -j dynamic
-A br0_fwd -m state --state NEW -j br0_mac
-A br0_fwd -o eth0 -j loc2net
-A br0_fwd -o br0 -j ACCEPT
-A br0_in -m state --state INVALID,NEW -j dynamic
-A br0_in -p udp -m udp --dport 67:68 -j ACCEPT
-A br0_in -m state --state NEW -j br0_mac
-A br0_in -j loc2fw
-A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j RETURN
-A br0_mac -j br0_rec
-A br0_mac -m recent --update --name br0_mac --rsource -j RETURN
-A br0_mac -m recent --set --name br0_mac --rsource
-A br0_rec -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev 
--physdev-in eth2 -j RETURN
-A br0_rec -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev 
--physdev-in eth1 -j RETURN
-A br0_rec -s 10.0.2.1 -d 10.0.2.7 -j RETURN
-A br0_rec -s 10.0.2.1 -d 255.255.255.255 -j RETURN
-A br0_rec -s 10.0.2.1 -d 224.0.0.0/240.0.0.0 -j RETURN
-A br0_rec -s 10.0.2.2 -d 10.0.2.7 -j RETURN
-A br0_rec -s 10.0.2.2 -d 255.255.255.255 -j RETURN
-A br0_rec -s 10.0.2.2 -d 224.0.0.0/240.0.0.0 -j RETURN
-A br0_rec -j LOG --log-prefix "Shorewall:br0_rec:REJECT:" --log-level
6
-A br0_rec -j reject

On Sun, 2005-07-17 at 11:48 -0700, Tom Eastep wrote:
> On Sunday 17 July 2005 09:19, Supernaut wrote:
> > On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote:
> > > Try this patch.
> > >
> > > -Tom
> > > --
> > > Tom Eastep    \ Nothing is foolproof to a sufficiently talented
fool
> > > Shoreline,     \ http://shorewall.net
> > > Washington USA  \ teastep@shorewall.net
> > > PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> >
> > Thanks Tom.
> >
> > Applied the patch:
> >
> > -A br0_rec -m recent --update --name br0_mac --rsource -j RETURN
> > -A br0_rec -m recent --set --name br0_mac --rsource
> >
> > I''m afraid it didn''t work.  After applying the
patch, all MAC verified
> > clients were denied access with a Shorewall:br0_mac:REJECT log entry.
> >
> 
> Here''s a patch against 2.4.1 that should fix this -- please let me
know.
> 
> -Tom

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

On Sun, 2005-07-17 at 20:15 -0300, Supernaut wrote:
> Hi Tom,
> 
> Sorry for the late reply. Patch works great!  Thanks again.
> 
> Neil
Neil, watch Full-Disclosure and/or Bugtraq... you got some fame there :)

Patrick

http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0429.html





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Tsts,
Dislosure truly lags the report these days ... ;0)
>Report: 17.07.05 
>Confirmation: 17.07.05 
>Fix: 17.07.05 
>Disclosure: 17.07.06 
Joh

On Mon, 2005-07-18 at 01:27 +0200, Patrick Blitz wrote:
> On Sun, 2005-07-17 at 20:15 -0300, Supernaut wrote:
> > Hi Tom,
> > 
> > Sorry for the late reply. Patch works great!  Thanks again.
> > 
> > Neil
> 
> Neil, watch Full-Disclosure and/or Bugtraq... you got some fame there :)
> 
> Patrick
> 
> http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0429.html
> 
> 
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast.
http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
-- 
+----------------------------------------------------------------------+
| Johannes Graumann, Dipl. Biol.                                       |
|                                                                      |
|       Graduate Student                Tel.: ++1 (626) 395 6602       |
|       Deshaies Lab                    Fax.: ++1 (626) 395 5739       |
|       Department of Biology                                          |
|       CALTECH, M/C 156-29                                            |
|       1200 E. California Blvd.                                       |
|       Pasadena, CA 91125                                             |
|       USA                                                            |
+----------------------------------------------------------------------+




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Patrick Blitz wrote:
> On Sun, 2005-07-17 at 20:15 -0300, Supernaut wrote:
>>Hi Tom,
>>
>>Sorry for the late reply. Patch works great!  Thanks again.
>>
>>Neil
>
> Neil, watch Full-Disclosure and/or Bugtraq... you got some fame there :)
>
Again, thanks to both Neil and Patrick for help in getting this problem
identified, reported and fixed.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key