Fix ICMP problems in rc.firewall
Hoi,
when your trusted_net, like in the default config, is a net that
is not routed then even the allowed ICMP types are dropped.
The attached patch fixes that.
But opens the possibility of using not routed nets for attacks
that e.g. use the IP ID to guess some stuff about the host
(e.g. to guess open ports).
But since any IP is usually good enough for this i don't think it
is a big regression, especially since we don't drop all nets that
aren't routed.
Also i would welcome a chmod +x etc/rc.firewall.
And then a RFC, shall i convert it to a rcng skript?
Any other feedback on rc.firewall is also welcome.
Index: etc/rc.firewall
===================================================================
RCS file: /home/dcvs/src/etc/rc.firewall,v
retrieving revision 1.4
diff -u -p -r1.4 rc.firewall
--- etc/rc.firewall 28 Feb 2005 01:42:57 -0000 1.4
+++ etc/rc.firewall 21 Apr 2005 18:38:12 -0000
@@ -190,8 +190,8 @@ case ${firewall_type} in
allow_trusted_nets ${firewall_trusted_nets}
allow_trusted_interfaces ${firewall_trusted_interfaces}
allow_connections
- deny_not_routed_nets
allow_icmp_types ${firewall_allowed_icmp_types}
+ deny_not_routed_nets
open_tcp_ports ${firewall_open_tcp_ports}
open_udp_ports ${firewall_open_udp_ports}
deny_rest
討論串 (同標題文章)