[bglug] Fw: [RHSA-2002:086-05] Netfilter information leak

embyte bglug@lists.linux.it
Fri, 10 May 2002 20:36:09 +0200


Per chi usa il NAT di iptables: (ps. stasera al lug non ci posso venire
doh!)

> 1. Topic:
>
> Netfilter ("iptables") can leak information about how port forwarding
> is done in unfiltered ICMP packets.  The older "ipchains" code is not
> affected.
>
> This bug only affects users using the Network Address Translation
> features of firewalls built with netfilter ("iptables").  Red Hat
> Linux's firewall configuration tools use "ipchains," and those
> configurations are not vulnerable to this bug.
>
> 3. Problem description:
>
> Systems using the netfilter ("iptables") Network Address Translation
> (NAT) capabilities are subject to the following bug:  When a NAT rule
> applies to the first packet of a connection and that packet later
> causes the system to generate an ICMP error message, the ICMP
> error message is sent out with translated addresses included. This
> address information incorrectly gives the IP address to which the
> connection would have been forwarded if the ICMP error message was
> not generated, which exposes information about the netfilter
> configuration (which ports are being translated) and about the
> network topology (which address the ports are being forwarded to).
> Also, the incorrect ICMP packets may be dropped by other intervening
> stateful firewalls as malformed packets.
>
> ICMP error packets generated by the host being routed to are not
> affected by this bug.
>
> The firewall configuration generated by Red Hat Linux's firewall
> configuration tools uses ipchains, not iptables; thus, default
> configurations of Red Hat Linux are not affected by this bug.
>
> 4. Solution:
>
> Unfortunately, this problem currently has no clean fix, but while
> a clean fix is being worked on, there is a sufficient workaround:
>
> Filter out untracked local icmp packets using the following command:
> iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP