Package: shorewall
Version: 2.4.5-1
Severity: important
It appears that once a DNAT rule has been done, it persists even
accross 'restart' or 'force-reload'. This is a serious security hole,
because the old rules should not be there any more if chnages has been
done to the /etc/shorewall/rules file.
HOW TO REPRODUCE
================
Have A and B host in local network, access it from external host
C. The connection happens to A, which forwards port 2222 to B's 22.
C => ( A -> [2022:dnat:22] -> B )
a) initial settings in /etc/shorewall/rules
ACCEPT net fw tcp 2022
DNAT net loc:192.168.1.2:22 tcp 2222
- Connect to A, which should forward to B.
- Complete login to B with ssh.
b) change the above settings to following:
ACCEPT net fw tcp 2222
DNAT net loc:192.168.1.2:22 tcp 2222
- Restart shorewall: /etc/init.d/shorewall restart
- Connect to A, but *using* previous forward, port 2022.
=> You're forwarded to B.
Confirm that the previous rule still exists:
iptables -L | grep 2022
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US)
Versions of packages shorewall depends on:
ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy
ii iproute 20041019-3 Professional tools to control the
ii iptables 1.3.3-2 Linux kernel 2.4+ iptables adminis
Versions of packages shorewall recommends:
ii wget 1.10.2-1 retrieves files from the web
-- debconf information:
* shorewall/upgrade_20_22:
shorewall/upgrade_14_20:
shorewall/upgrade_to_14:
shorewall/warnrfc1918:
* shorewall/dont_restart:
shorewall/major_release:
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
