Hi Tom; Am Sonntag, 5. Juni 2011, um 18:32:28 schrieb Tom Eastep: > 2) Network developers have discovered an exploit that allows hosts to > poke holes in a firewall. The known ways to protect against the > exploit are: > > a) rt_filter (Shorewall's routefilter). Only applicable to IPv4 > and can't be used with some multi-ISP configurations. > > b) Insert a DROP rule that prevents hairpinning (routeback). The > rule must be inserted before any ESTABLISHED,RELATED firewall > rules. This approach is not appropriate for bridges and other > cases, where the 'routeback' option is specified or implied. > > For non-routeback interfaces, Shorewall and Shorewall6 will insert > a hairpin rule, provided that the routefilter option is not > specified. The rule will dispose of hairpins according to the > setting of two new options in shorewall.conf and shorewall6.conf: > > SFILTER_LOG_LEVEL > Specifies the logging level; default is 'info'. To omit > logging, specify FILTER_LOG_LEVEL=none. > > > SFILTER_DISPOSITION > Specifies the disposition. Default is DROP and the possible > values are DROP, A_DROP, REJECT and A_REJECT. > > To deal with bridges and other routeback interfaces , there is now > an 'sfilter' option in /shorewall/interfaces and > /etc/shorewall6/interfaces. > > The value of the 'sfilter' option is a list of network addresses > enclosed in in parentheses. Where only a single address is listed, > the parentheses may be omitted. When a packet from a > source-filtered address is received on the interface, it is > disposed of based on the new SFILTER_ options described above. > > For a bridge or other routeback interface, you should list all of > your other local networks (those networks not attached to the > bridge) in the bridge's sfilter list.
I'm a bit puzzled. Can you provide a link to a more in-depth description? Does that mean all shorewall versions <= 4.4.19 are affected? thx kp ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
