0000314: iptables.pm adding FORWARD ACCEPT MARK 0x1 rule to ipchains when operating in passive mode. - PacketFence

PacketFence - BTS - PacketFence 1.7
View Issue Details

ID	Project	Category	View Status	Date Submitted	Last Update
0000314	PacketFence 1.7		public	2008-04-21 14:19	2008-07-21 16:56

Reporter	aflannery
Assigned To	user4
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Platform		OS		OS Version
Product Version
Target Version		Fixed in Version	monotone
fixed in mtn revision

Summary	0000314: iptables.pm adding FORWARD ACCEPT MARK 0x1 rule to ipchains when operating in passive mode.
Description	iptables.pm on ln 686 adds multiple rules to the FORWARD chain, giving certain marked packets the ability to traverse interfaces. this presents a security problem when a machine has a privileged admin interface sitting on a network or VLAN where you DO NOT want user traffic to end up. Also, enabling routing makes little sense when operating in passive (arp) mode.
Steps To Reproduce
Additional Information	as a workaround I enclosed these internal_append_entry calls: if(isenabled($Config{'network'}{'nat'})){ ... internal_append_entry(...); ... } Patch included.
Tags	No tags attached.
Relationships
Attached Files	iptables_nonat.patch (1,567) 2008-04-21 14:19 https://www.packetfence.org/bugs/file_download.php?file_id=34&type=bug

Issue History
Date Modified	Username	Field	Change
2008-04-21 14:19	aflannery	New Issue
2008-04-21 14:19	aflannery	File Added: iptables_nonat.patch
2008-06-12 20:55	user4	Project	PacketFence 1.6.2 => PacketFence 1.7
2008-06-12 20:55	user4	Status	new => assigned
2008-06-12 20:55	user4	Assigned To	=> user4
2008-07-21 16:56	user4	Status	assigned => closed
2008-07-21 16:56	user4	Note Added: 0000767
2008-07-21 16:56	user4	Resolution	open => fixed
2008-07-21 16:56	user4	Fixed in Version	=> monotone

Notes