Hi, I am running a bridge on my local net (br0 [10.0.2.1] with an alias br0:0 [10.0.2.2]) using MAC filtering and MACLIST_TTL=10 applied in /etc/shorewall/shorewall.conf. While testing the rule set, I noticed that activating MACLIST_TTL causes packets to skip the loc2fw chain, allowing packets that pass MAC filtering to access all ports on the firewall. This does not occur if MACLIST_TTL is not active. I am using shorewall version 2.4.1. Here are the pertinent chains with MACLIST_TTL=10: -A br0_fwd -m state --state INVALID,NEW -j dynamic -A br0_fwd -m state --state NEW -j br0_mac -A br0_fwd -o eth0 -j loc2net -A br0_fwd -o br0 -j ACCEPT -A br0_in -m state --state INVALID,NEW -j dynamic -A br0_in -p udp -m udp --dport 67:68 -j ACCEPT -A br0_in -m state --state NEW -j br0_mac -A br0_in -j loc2fw -A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j br0_rec -A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth2 -j br0_rec -A br0_mac -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j br0_rec -A br0_mac -s 10.0.2.1 -d 10.0.2.7 -j RETURN -A br0_mac -s 10.0.2.1 -d 255.255.255.255 -j RETURN -A br0_mac -s 10.0.2.1 -d 224.0.0.0/240.0.0.0 -j RETURN -A br0_mac -s 10.0.2.2 -d 10.0.2.7 -j RETURN -A br0_mac -s 10.0.2.2 -d 255.255.255.255 -j RETURN -A br0_mac -s 10.0.2.2 -d 224.0.0.0/240.0.0.0 -j RETURN -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 -A br0_mac -j reject -A br0_rec -m recent --update --name br0_mac --rsource -j ACCEPT -A br0_rec -m recent --set --name br0_mac --rsource -j ACCEPT Here are the chains without MACLIST_TTL: -A br0_fwd -m state --state INVALID,NEW -j dynamic -A br0_fwd -m state --state NEW -j br0_mac -A br0_fwd -o eth0 -j loc2net -A br0_fwd -o br0 -j ACCEPT -A br0_in -m state --state INVALID,NEW -j dynamic -A br0_in -p udp -m udp --dport 67:68 -j ACCEPT -A br0_in -m state --state NEW -j br0_mac -A br0_in -j loc2fw -A br0_mac -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth2 -j RETURN -A br0_mac -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j RETURN -A br0_mac -s 10.0.2.1 -d 10.0.2.7 -j RETURN -A br0_mac -s 10.0.2.1 -d 255.255.255.255 -j RETURN -A br0_mac -s 10.0.2.1 -d 224.0.0.0/240.0.0.0 -j RETURN -A br0_mac -s 10.0.2.2 -d 10.0.2.7 -j RETURN -A br0_mac -s 10.0.2.2 -d 255.255.255.255 -j RETURN -A br0_mac -s 10.0.2.2 -d 224.0.0.0/240.0.0.0 -j RETURN -A br0_mac -j LOG --log-prefix "Shorewall:br0_mac:REJECT:" --log-level 6 -A br0_mac -j reject It would seem that after updating/setting the interface''s "recent" table, the packets shouldn''t be immediately accepted, but instead returned to the br0_in chain to transverse loc2fw. I''m not sure what would be the best way to do this. Should matches be made to "RETURN" from br0_mac to br0_in and from there call br0_rec directly? After updating/setting the interface''s "recent" table in br0_rec, the packets could then "RETURN" to br0_in and move on to loc2fw. Thanks for your help Neil ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Supernaut wrote:> Hi, > > I am running a bridge on my local net (br0 [10.0.2.1] with an alias > br0:0 [10.0.2.2]) using MAC filtering and MACLIST_TTL=10 applied > in /etc/shorewall/shorewall.conf. While testing the rule set, I noticed > that activating MACLIST_TTL causes packets to skip the loc2fw chain, > allowing packets that pass MAC filtering to access all ports on the > firewall. This does not occur if MACLIST_TTL is not active. I am using > shorewall version 2.4.1.Try this patch. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote:> Try this patch. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.keyThanks Tom. Applied the patch: -A br0_rec -m recent --update --name br0_mac --rsource -j RETURN -A br0_rec -m recent --set --name br0_mac --rsource I''m afraid it didn''t work. After applying the patch, all MAC verified clients were denied access with a Shorewall:br0_mac:REJECT log entry. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Sunday 17 July 2005 08:42, Tom Eastep wrote:> > Try this patch. >This patch is broken too :-( -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 17 July 2005 09:19, Supernaut wrote:> On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote: > > Try this patch. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > Thanks Tom. > > Applied the patch: > > -A br0_rec -m recent --update --name br0_mac --rsource -j RETURN > -A br0_rec -m recent --set --name br0_mac --rsource >Yep -- I just sent out a message before your post arrived. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sunday 17 July 2005 09:19, Supernaut wrote:> On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote: > > Try this patch. > > > > -Tom > > -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > Thanks Tom. > > Applied the patch: > > -A br0_rec -m recent --update --name br0_mac --rsource -j RETURN > -A br0_rec -m recent --set --name br0_mac --rsource > > I''m afraid it didn''t work. After applying the patch, all MAC verified > clients were denied access with a Shorewall:br0_mac:REJECT log entry. >Here''s a patch against 2.4.1 that should fix this -- please let me know. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Sorry for the late reply. Patch works great! Thanks again. Neil -A br0_fwd -m state --state INVALID,NEW -j dynamic -A br0_fwd -m state --state NEW -j br0_mac -A br0_fwd -o eth0 -j loc2net -A br0_fwd -o br0 -j ACCEPT -A br0_in -m state --state INVALID,NEW -j dynamic -A br0_in -p udp -m udp --dport 67:68 -j ACCEPT -A br0_in -m state --state NEW -j br0_mac -A br0_in -j loc2fw -A br0_mac -m recent --rcheck --seconds 10 --name br0_mac --rsource -j RETURN -A br0_mac -j br0_rec -A br0_mac -m recent --update --name br0_mac --rsource -j RETURN -A br0_mac -m recent --set --name br0_mac --rsource -A br0_rec -s 10.0.2.3 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth2 -j RETURN -A br0_rec -s 10.0.2.6 -m mac --mac-source xx:xx:xx:xx:xx:xx -m physdev --physdev-in eth1 -j RETURN -A br0_rec -s 10.0.2.1 -d 10.0.2.7 -j RETURN -A br0_rec -s 10.0.2.1 -d 255.255.255.255 -j RETURN -A br0_rec -s 10.0.2.1 -d 224.0.0.0/240.0.0.0 -j RETURN -A br0_rec -s 10.0.2.2 -d 10.0.2.7 -j RETURN -A br0_rec -s 10.0.2.2 -d 255.255.255.255 -j RETURN -A br0_rec -s 10.0.2.2 -d 224.0.0.0/240.0.0.0 -j RETURN -A br0_rec -j LOG --log-prefix "Shorewall:br0_rec:REJECT:" --log-level 6 -A br0_rec -j reject On Sun, 2005-07-17 at 11:48 -0700, Tom Eastep wrote:> On Sunday 17 July 2005 09:19, Supernaut wrote: > > On Sun, 2005-07-17 at 08:42 -0700, Tom Eastep wrote: > > > Try this patch. > > > > > > -Tom > > > -- > > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > > Shoreline, \ http://shorewall.net > > > Washington USA \ teastep@shorewall.net > > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > Thanks Tom. > > > > Applied the patch: > > > > -A br0_rec -m recent --update --name br0_mac --rsource -j RETURN > > -A br0_rec -m recent --set --name br0_mac --rsource > > > > I''m afraid it didn''t work. After applying the patch, all MAC verified > > clients were denied access with a Shorewall:br0_mac:REJECT log entry. > > > > Here''s a patch against 2.4.1 that should fix this -- please let me know. > > -Tom------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Sun, 2005-07-17 at 20:15 -0300, Supernaut wrote:> Hi Tom, > > Sorry for the late reply. Patch works great! Thanks again. > > NeilNeil, watch Full-Disclosure and/or Bugtraq... you got some fame there :) Patrick http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0429.html ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Johannes Graumann
2005-Jul-17 23:35 UTC
Re: Using MACLIST_TTL causes packets to skip loc2fw
Tsts, Dislosure truly lags the report these days ... ;0)>Report: 17.07.05 >Confirmation: 17.07.05 >Fix: 17.07.05 >Disclosure: 17.07.06Joh On Mon, 2005-07-18 at 01:27 +0200, Patrick Blitz wrote:> On Sun, 2005-07-17 at 20:15 -0300, Supernaut wrote: > > Hi Tom, > > > > Sorry for the late reply. Patch works great! Thanks again. > > > > Neil > > Neil, watch Full-Disclosure and/or Bugtraq... you got some fame there :) > > Patrick > > http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0429.html > > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- +----------------------------------------------------------------------+ | Johannes Graumann, Dipl. Biol. | | | | Graduate Student Tel.: ++1 (626) 395 6602 | | Deshaies Lab Fax.: ++1 (626) 395 5739 | | Department of Biology | | CALTECH, M/C 156-29 | | 1200 E. California Blvd. | | Pasadena, CA 91125 | | USA | +----------------------------------------------------------------------+ ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Patrick Blitz wrote:> On Sun, 2005-07-17 at 20:15 -0300, Supernaut wrote: >>Hi Tom, >> >>Sorry for the late reply. Patch works great! Thanks again. >> >>Neil > > Neil, watch Full-Disclosure and/or Bugtraq... you got some fame there :) >Again, thanks to both Neil and Patrick for help in getting this problem identified, reported and fixed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key