On Mon, Jul 12, 2010 at 09:19:33AM -0400, Daniel P. Berrange wrote: > For > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2242 > > IPtables will seek to preserve the source port unchanged when > doing masquerading, if possible. NFS has a pseudo-security > option where it checks for the source port <= 1023 before > allowing a mount request. If an admin has used this to make the > host OS trusted for mounts, the default iptables behaviour will > potentially allow NAT'd guests access too. This needs to be > stopped. > > With this change, the iptables -t nat -L -n -v rules for the > default network will be > > Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) > pkts bytes target prot opt in out source destination > 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 > 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 > 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 > > * src/network/bridge_driver.c: Add masquerade rules for TCP > and UDP protocols > * src/util/iptables.c, src/util/iptables.c: Add source port > mappings for TCP & UDP protocols when masquerading. Looks fine, ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/ -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list