Re: Firewalld
Hi.
On Sun, 23 Jul 2017 17:29:54 +0000
Tom Browder <tom.browder@gmail.com> wrote:
> Webmin uses firewalld to manage firewalls. Is there any reason not to use
> webmin for my servers' firewall management?
I'll bite.
First things first, CVE-2016-5410 and [1]. [1] comes with this
beautiful tag attached:
Upstream told me that they know that the lockdown feature is not secure
and they wouldn't know how to fix it, except for removing the feature
completely.
Second, [2] states that *popular* iptables frontends are ufw, shorewall
and fwbuilder. That means someone's actually using them, finding bugs,
fixing them, etc.
And last, but not least, [3]. There you have it all. Remote code
execution. Directory traversal. XSS. Authentication bypass.
tl;dr version - friends do not let friends to use webmin and/or
firewalld.
Reco
[1] http://seclists.org/oss-sec/2017/q3/139
[2] https://wiki.debian.org/Firewalls
[3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webmin
Reply to:
- References:
- Firewalld
- From: Tom Browder <tom.browder@gmail.com>