Hi. On Sun, 23 Jul 2017 17:29:54 +0000 Tom Browder <tom.brow...@gmail.com> wrote:
> Webmin uses firewalld to manage firewalls. Is there any reason not to use > webmin for my servers' firewall management? I'll bite. First things first, CVE-2016-5410 and [1]. [1] comes with this beautiful tag attached: Upstream told me that they know that the lockdown feature is not secure and they wouldn't know how to fix it, except for removing the feature completely. Second, [2] states that *popular* iptables frontends are ufw, shorewall and fwbuilder. That means someone's actually using them, finding bugs, fixing them, etc. And last, but not least, [3]. There you have it all. Remote code execution. Directory traversal. XSS. Authentication bypass. tl;dr version - friends do not let friends to use webmin and/or firewalld. Reco [1] http://seclists.org/oss-sec/2017/q3/139 [2] https://wiki.debian.org/Firewalls [3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webmin