[BUG] INPUT is permitted even if DROP exists
Sameh Attia
email hidden
Sun Feb 11 13:40:36 CET 2007
Hi,
We are running the latest version of FIAIF 1.21.1. We have N zones,
Zone1, Zone2, ....,and ZoneN. Each zone is associated with a certain
interface with a certain IP and network range. For example ZoneX has an
address IPX and a network NetX.
The problem is that if we have any zone with its INPUT's rules set as:
ZONE X:
INPUT[0]="ACCEPT XXX 0.0.0.0/0=>0.0.0.0/0"
INPUT[1]="DROP ALL 0.0.0.0/0=>0.0.0.0/0"
and all other zones' rules set as:
ALL ZONES EXCEPT X:
INPUT[0]="DROP ALL 0.0.0.0/0=>0.0.0.0/0"
We end up with all hosts coming through the interface of zone X are able to
communicate with all the other INPUT interfaces of all the other zones
regardless there is a clear DROP statement or not. This is due to the fact
that FIAIF converts this setup into IPtables rules as being restricted to
come through X's physical interface only.
I think there should be another check that protects such generic rules in
the other remaining zones; especially that FIAIF used to have the
0.0.0.0/0notation as an alias of the zones network range.
Regards
--
The two basic principles of Windows system administration:
* For minor problems, reboot
* For major problems, reinstall
dc -e
'603178305900664311156641389051003470569569613466992253686426210705237258P'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.fiaif.net/pipermail/fiaif/attachments/20070211/e35e74d0/attachment.htm
More information about the fiaif
mailing list