0000314: iptables.pm adding FORWARD ACCEPT MARK 0x1 rule to ipchains when operating in passive mode. - PacketFence

Bug Tracking System

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0000314

PacketFence 1.7

public

2008-04-21 14:19

2008-07-21 16:56

Reporter

aflannery

Assigned To

user4

Priority

normal

Severity

major

Reproducibility

always

Status

closed

Resolution

fixed

Platform

OS Version

Product Version

Target Version

Fixed in Version

monotone

Summary

0000314: iptables.pm adding FORWARD ACCEPT MARK 0x1 rule to ipchains when operating in passive mode.

Description

iptables.pm on ln 686 adds multiple rules to the FORWARD chain, giving certain marked packets the ability to traverse interfaces.

this presents a security problem when a machine has a privileged admin interface sitting on a network or VLAN where you DO NOT want user traffic to end up.

Also, enabling routing makes little sense when operating in passive (arp) mode.

Additional Information

as a workaround I enclosed these internal_append_entry calls:
if(isenabled($Config{'network'}{'nat'})){
  ...
  internal_append_entry(...);
  ...
}

Patch included.

Tags

No tags attached.

fixed in mtn revision

Attached Files

iptables_nonat.patch (Attachment missing)

Relationships

Notes
(0000767) user4 2008-07-21 16:56	revision 2bec65bd586a6ae3997316190870e09bcaecb506

Issue History
Date Modified	Username	Field	Change
2008-04-21 14:19	aflannery	New Issue
2008-04-21 14:19	aflannery	File Added: iptables_nonat.patch
2008-06-12 20:55	user4	Project	PacketFence 1.6.2 => PacketFence 1.7
2008-06-12 20:55	user4	Status	new => assigned
2008-06-12 20:55	user4	Assigned To	=> user4
2008-07-21 16:56	user4	Status	assigned => closed
2008-07-21 16:56	user4	Note Added: 0000767
2008-07-21 16:56	user4	Resolution	open => fixed
2008-07-21 16:56	user4	Fixed in Version	=> monotone