Re: Firewalld

To: debian-user@lists.debian.org
Subject: Re: Firewalld
From: Reco <recoverym4n@gmail.com>
Date: Sun, 23 Jul 2017 22:17:15 +0300
Message-id: <[🔎] 20170723221715.ed588e8128321de2a9b7964a@gmail.com>
In-reply-to: <[🔎] CAFMGiz-WQaYQthWQ4Jxep_jocdc5kzYTTAXWjW0fdfNcO4nqdQ@mail.gmail.com>
References: <[🔎] CAFMGiz-WQaYQthWQ4Jxep_jocdc5kzYTTAXWjW0fdfNcO4nqdQ@mail.gmail.com>

	Hi.

On Sun, 23 Jul 2017 17:29:54 +0000
Tom Browder <tom.browder@gmail.com> wrote:

> Webmin uses firewalld to manage firewalls. Is there any reason not to use
> webmin for my servers' firewall management?

I'll bite.

First things first, CVE-2016-5410 and [1]. [1] comes with this
beautiful tag attached:

Upstream told me that they know that the lockdown feature is not secure
and they wouldn't know how to fix it, except for removing the feature
completely.

Second, [2] states that *popular* iptables frontends are ufw, shorewall
and fwbuilder. That means someone's actually using them, finding bugs,
fixing them, etc.

And last, but not least, [3]. There you have it all. Remote code
execution. Directory traversal. XSS. Authentication bypass.

tl;dr version - friends do not let friends to use webmin and/or
firewalld.

Reco

[1] http://seclists.org/oss-sec/2017/q3/139
[2] https://wiki.debian.org/Firewalls
[3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webmin

Reply to:

Follow-Ups:
- Re: Firewalld
  - From: Tom Browder <tom.browder@gmail.com>

References:
- Firewalld
  - From: Tom Browder <tom.browder@gmail.com>

Prev by Date: Re: cups
Next by Date: Re: Installed Stretch, but no command line
Previous by thread: Firewalld
Next by thread: Re: Firewalld
Index(es):
- Date
- Thread