Shorewall: Security policy bypass
Gentoo Linux Security Advisory
||GLSA 200507-20 / shorewall
||July 22, 2005
||September 14, 2005: 02
All supported architectures
A vulnerability in Shorewall allows clients authenticated by MAC address
filtering to bypass all other security rules.
Shorewall is a high level tool for configuring Netfilter, the firewall
facility included in the Linux Kernel.
Shorewall fails to enforce security policies if configured with
"MACLIST_DISPOSITION" set to "ACCEPT" or "MACLIST_TTL" set to a value
greater or equal to 0.
A client authenticated by MAC address filtering could bypass all
security policies, possibly allowing him to gain access to restricted
services. The default installation has MACLIST_DISPOSITION=REJECT and
MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking
at the settings in /etc/shorewall/shorewall.conf
Set "MACLIST_TTL" to "0" and "MACLIST_DISPOSITION" to "REJECT" in the
Shorewall configuration file (usually /etc/shorewall/shorewall.conf).
All Shorewall users should upgrade to the latest available version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose net-firewall/shorewall