Re: [iptables PATCH 9/9] extensions: DNAT: Support service names in all spots

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 2022-03-30 22:57, Phil Sutter wrote:
>> >+-p tcp -j DNAT --to-destination 1.1.1.1:echo-ftp-data/ssh;-p tcp -j DNAT --to-destination 1.1.1.1:7-20/22;OK
>> 
>> This looks dangerous. It is why I originally never allowed service names in
>> port ranges that use dash as the range character.
>
>Guess if someone is able to manipulate /etc/services, any service names
>are problematic, not just in ranges.

Well, pretty much anyone has a shot at manipulating this file. File a
port registration with IANA, and when your distro updates the file,
eventually there is a chance of messing up firewall configs,
worldwide.

Other than that, thanks to nsswitch, the service list can also be in
LDAP or so, and then all that's needed is a disgruntled LDAP admin
who dislikes the firewall admin.

>Another potential problem I didn't have in mind though is that 'a-b'
>could mean [a; b] or [a-b] assuming that all three exist. But I haven't
>found a valid example in my /etc/services, yet. :)

I found 25 at once!

914c :: 914c-g :: g-talk
ads :: ads-s :: s-openmail
bctp :: bctp-server :: server-find
cis :: cis-secure :: secure-mqtt
connect :: connect-server :: server-find
docker :: docker-s :: s-openmail
documentum :: documentum-s :: s-openmail
domain :: domain-s :: s-openmail
dtp :: dtp-net :: net-device
genie :: genie-lm :: lm-mon
linktest :: linktest-s :: s-openmail
mailbox :: mailbox-lm :: lm-mon
mbap :: mbap-s :: s-openmail
ns :: ns-server :: server-find
plato :: plato-lm :: lm-mon
rmonitor :: rmonitor-secure :: secure-mqtt
sentinel :: sentinel-lm :: lm-mon
sitewatch :: sitewatch-s :: s-openmail
spss :: spss-lm :: lm-mon
sql :: sql-net :: net-device
tacacs :: tacacs-ds :: ds-slp
tl1 :: tl1-lv :: lv-auth
trim :: trim-ice :: ice-router
wnn6 :: wnn6-ds :: ds-slp
wsdapi :: wsdapi-s :: s-openmail

To be read as: "wsdapi-s-openmail" is ambiguous, because
it allows for two interpretations (and all four port names are in
/etc/services):

	[wsdapi]-[s-openmail]
	[wsdapi-s]-[openmail]


>> The "solution" would be to use : as the range character, but that would require
>> a new --dport option for reasons of command-line compatibility.
>
>Well, we could allow both (a-b with numeric a and b only) and use it in
>output only if non-numeric was requested.

Given I'm seeing "914c" in the IANA list (leading digits always stand
out from the crowd, e.g. you don't normally see them in UNIX
usernames either), I won't hold my breath that no one would try to
register "914-915".



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux