SECURITY RISK

I just had someone gain access to the webmin interface of my firewall (version 3.383). It was due to a config error, but I believe there should be a little protection from such F#$kups.

OK. What what caused it. I just set up astaro with PPPoE and enabled MASQ of the internal network. I added a rule to allow HTTPS to go from ANY to INTERNAL WEB SERVER (a specific internal address). All good so far. I however forgot to add the DNAT/SNAT rule to redirect port 443 to go to this internal address. So rather than dropping the packets the fw accepted them itself and presented the webmin interface to the outside world (this is BAD). Maybe a few checks need to be added to prevent this occuring.

Regards
Simon.

0 vtanger over 22 years ago

I know admins needing to access the FW admin interface from anywhere (e.g. from home). So they rightfully allow "any-https-fw". This would be prevented by the suggested security-wizard. All "intelligent" checks I know (even the meager ones CheckPoint implements) fail earlier or later, when the ruleset reaches a sufficient complexit.

So yes, being the firewall admin gives you the license to shoot (non-literally meaning) - even to shoot yourself into the foot...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BarryG over 22 years ago in reply to vtanger

I believe this is an option on the System settings in 3.2; I don't know about the 4.x beta.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 theRat_01 over 22 years ago in reply to BarryG

What I was suggesting is that to allow access to the admin interface from the outside should require an explicit rule, not some weird combination that somehow ends up giving access. As I suggested before I believe this to be a bug in the NAT code.

Simon
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel