Re: Bad press again...
* Paul Gear:
> Florian Weimer wrote:
>> ...
>> It seems that shorewall generates an ACL that ACCEPTs all traffic once
>> a MAC rule matches. Further rules are not considered. The
>> explanations in version 2.2.3 seem to indicate that this was the
>> intended behavior, but its implications surprised upstream, and a
>> corrected version was released.
>
> That's not an accurate summary of the Shorewall team's stance. It is a
> simple bug. When someone uses MAC filtering in their firewall rules, it
> was always intended that a system which passed the MAC filter still be
> subject to the other rules (IP & port filters).
# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. [...]
Highly ambiguous at best. 8-(
The behavior of the MAC filter is not documented at all.
Anyway, this subthread won't lead us to a DSA. Tomorrow, I'm going to
set up shorewall in my lab and reproduce the bug. Hopefully that's
more productive (in some weird sense, of course).
Reply to: