Gentoo Logo

Shorewall: Security policy bypass


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200507-20 / shorewall
Release Date July 22, 2005
Latest Revision September 14, 2005: 02
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-firewall/shorewall <= 2.4.1 >= 2.4.2 All supported architectures

Related bugreports: #99398


A vulnerability in Shorewall allows clients authenticated by MAC address filtering to bypass all other security rules.

2.  Impact Information


Shorewall is a high level tool for configuring Netfilter, the firewall facility included in the Linux Kernel.


Shorewall fails to enforce security policies if configured with "MACLIST_DISPOSITION" set to "ACCEPT" or "MACLIST_TTL" set to a value greater or equal to 0.


A client authenticated by MAC address filtering could bypass all security policies, possibly allowing him to gain access to restricted services. The default installation has MACLIST_DISPOSITION=REJECT and MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking at the settings in /etc/shorewall/shorewall.conf

3.  Resolution Information


Set "MACLIST_TTL" to "0" and "MACLIST_DISPOSITION" to "REJECT" in the Shorewall configuration file (usually /etc/shorewall/shorewall.conf).


All Shorewall users should upgrade to the latest available version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose net-firewall/shorewall

4.  References


Page updated July 22, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.