Re: Default configuration in WatchGuard Firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On September 4th, a message was posted to Bugtraq describing a potential problem with the WatchGuard Firebox default configuration file. The poster, Sr. Alfonso Lazaro stated that, by default, the WatchGuard Firebox allowed ping traffic from any interface to any interface. When the WatchGuard Rapid Response Team saw the post, we began trying both to contact Sr. Lazaro and to verify his observations. We reviewed our source code and currently shipping versions of the default configuration file as well as code and files several generations back. To date, we have been unsuccessful contacting Sr. Lazaro. We completed our review of the relevant files and code and were unable to locate anything to support the observations Sr. Lazaro described in his post. In the absence of any further information from Sr. Lazaro, we believe that his report of a vulnerability in Firebox default configuration files is in error. Steve Fallin Sr. Network Security Analyst WatchGuard Technologies -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.0.2 iQA/AwUBN91hnU3Vi9lbkWzpEQKTjwCg6BdeU2WWGcnFGFJZcdJrq+Q/K/kAn1js GUk8UKaWrlmx/yp7b7sDqEH8 =n2LT -END PGP SIGNATURE-
Re: Default configuration in WatchGuard Firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Saturday, September 4, a description of a potential problem with the WatchGuard Firebox default configuration file was posted to Bugtraq. At WatchGuard we take this sort of issue very seriously. When we saw the post, we initiated contact with the poster and are trying to re-create the observed behavior. Our preliminary analysis is that the reported behavior is not traceable to the default configuration files. We will post more information as we have it. Steve Fallin WatchGuard Rapid Response Team -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.0.2 iQA/AwUBN9V8M03Vi9lbkWzpEQI1oQCgygum8l60xkIFUUsQs6LMxm8CAGkAoLNu auX/QuSIR9MyNOYOmw9RAb29 =IGEy -END PGP SIGNATURE-
Re: Default configuration in WatchGuard Firewall
It's always a good idea to disable pings from the outside to your internal network. I don't mean to discourage anyone from doing so, but... # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100 This only works if you are on the 100.100.100 network, i.e. one hop way. Won't work all the way across the Internet. Have you tried it with source-routing? Solution is easy ... do not let pings to internal network. Please do. Does Watchguard give you some flexibility about what ICMP to let in? I.e. can you shut off the pings in, but still leave on ICMP unreachables, in order to not break path MTU discovery? Does it do the stateful thing and let ICMP echo replies in only if a request was sent, etc? ICMP is also one of the many interesting things that Firewall-1 leaves on by default. Newbie FW-1 admins usually don't know to go through the properties screen and disable all the things on by default. Ryan
Re: Default configuration in WatchGuard Firewall
Alfonso Lazaro wrote: I have found a misconfiguration in the default configuration of Watchguard Firewall. By default it appends a rule that it accepts pings from any to any. So if our firebox is defending our internal network ( 192.168.x.x ... ) and our WG Firewall is a proxie with an external ip in internet ( 100.100.100.100 hipotetic ip address ) the atacker can change his/her routes like so : # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100 # ping 192.168.1.1 Not to detract from the security implications of allowing echo-request inbound unchecked, but in most cases the above would be of little use. Every router between the attacker and the WatchGuard firewall would need to be configured to point 192.168.0.0 towards the firewall, something that is not going to happen per the RFC's (unless the attacker also compromises each router along the link). The above attack pattern would only be useful in the following situation: 1) The attacker can source route inbound traffic 2) The protected network is actually legal, routed address space 3) The attacker gains access to the wire between the firewall the Internet router If #1 works, shame on you. If #3 works, you have bigger problems than ICMP through the firewall. ;) Cheers, Chris -- ** [EMAIL PROTECTED] * Multiprotocol Network Design Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
