search

chef-cookbooks / iptables

Development repository for Chef Cookbook iptables
https://supermarket.chef.io/cookbooks/iptables
Apache License 2.0
102 stars 141 forks source link

BIG SECURITY ISSUE in rebuild-iptables #11

Closed Mic92 closed 10 years ago

Mic92 commented 10 years ago

The new rebuild-script of the current git version does not add the FWR chain to the INPUT chain, like this:

-A FWR -p icmp -j ACCEPT

and it does not drop packets at the end of the FWR chain, if no rules match:

-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-  port-unreachable
-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable

This means all packets will pass the firewall!

Mic92 commented 10 years ago

push

jrust commented 10 years ago

Bump. This is a pretty big hole.

jrust commented 10 years ago

In the meantime, to get back to the secure-by-default version of before add the following rules/templates:

prefix.erb:

-A INPUT -j FWR
-A FWR -i lo -j ACCEPT

postfix.erb:

# Rejects all remaining connections with port-unreachable errors.
-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable
Mic92 commented 10 years ago

I switched to: http://ferm.foo-projects.org/, which provide some additional nice features like functions for better modularity. I can recommend anyone to take a look at it.

andytson commented 10 years ago

@someara Sorry for yet again including you in another thing to get a response, but do you know how to push this forward as a priority? I've only spotted this today.

It seems like the move away from JIRA has possibly reduced the alert response to tickets.

andytson commented 10 years ago

I've added a issue upstream to the new rebuild-script's github repo: https://github.com/phlipper/rebuild-iptables/issues/5

Either this should be reverted to the perl version or an adequate solution done with the new rebuild script.

andytson commented 10 years ago

@someara perhaps v0.13.2 should be yanked from the supermarket for now?

andytson commented 10 years ago

I'm leaning towards preferring a solution like what @jrust mentions, which will give the cookbook greater flexibility, but either is done by injecting the prefix/suffix into the script, or needing to name rules like '0000-prefix', 'zzzz-suffix' in the /etc/iptables.d/ folder so file ordering puts them in the right places

andytson commented 10 years ago

@someara sorry, also v0.13.0 should probably be yanked as well. I was confused seeing the perl script still in the repository for that tag, so thought it was unaffected. v0.12.2 is the last known good version

someara commented 10 years ago

I can't just yank artifacts from the Supermarket. It breaks builds, CI systems, etc. We'll have to roll forward.

Mic92 commented 10 years ago

You should at least warn people about the breaking change in README.md

cwebberOps commented 10 years ago

@andytson @Mic92 @someara I am looking at this right now.