[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bad press again...

* Paul Gear:

> Florian Weimer wrote:
>> ...
>> It seems that shorewall generates an ACL that ACCEPTs all traffic once
>> a MAC rule matches.  Further rules are not considered.  The
>> explanations in version 2.2.3 seem to indicate that this was the
>> intended behavior, but its implications surprised upstream, and a
>> corrected version was released.
>
> That's not an accurate summary of the Shorewall team's stance.  It is a
> simple bug.  When someone uses MAC filtering in their firewall rules, it
> was always intended that a system which passed the MAC filter still be
> subject to the other rules (IP & port filters).

# When a new connection arrives from a 'maclist' interface, the packet passes
# through then list of entries for that interface in /etc/shorewall/maclist. If
# there is a match then the source IP address is added to the 'Recent' set for
# that interface. Subsequent connection attempts from that IP address occuring
# within $MACLIST_TTL seconds will be accepted without having to scan all of
# the entries. [...]

Highly ambiguous at best. 8-(

The behavior of the MAC filter is not documented at all.

Anyway, this subthread won't lead us to a DSA.  Tomorrow, I'm going to
set up shorewall in my lab and reproduce the bug.  Hopefully that's
more productive (in some weird sense, of course).
Reply to: