Comments (5)
If not allowing "all" as a parameter, at least "icmp" should not fail...
Original comment by [email protected]
on 26 Apr 2010 at 1:29
from capirca.
This issue is known, and is problematic to fix due to the multiple platforms
needed
to be supported and the fact some support stateful filtering (iptables), while
others
do not (cisco/juniper).
If you only need Iptables generation, this can be fixed with the following
change.
Insert the following diff to lib/policy.py in function _TranslateTerms() and it
will
work correctly for iptables output.
--- lib/policy.py (revision 80)
+++ lib/policy.py (working copy)
@@ -134,6 +134,12 @@
for term in terms:
# todo(pmoody): this probably belongs in Term.SanityCheck(),
# or at the very least, in some method under class Term()
+
+ # while parsing, we include HIGH_PORTS when 'established' is specified,
+ # but this should only apply to protocols with ports such as tcp/udp.
+ if 'established' in term.option:
+ if 'tcp' not in term.protocol and 'udp' not in term.protocol:
+ term.destination_port = []
if term.port:
term.port = TranslatePorts(term.port, term.protocol)
if not term.port:
However, the drawback to doing this is non-stateful platforms like Cisco and
Juniper
output will produce some undesirable and dangerous output. For example, a term
permitting all protocols with 'established' option will result in output such
as the
following for target cisco:
permit all any any
Note that this results in a default allow rule, instead of a rule permitting
only
established connections. This is due to the fact that Cisco and Juniper
filters do
not support 'stateful' firewalling, while Iptables does. Outputing 'permit all
any
any established' would result in an error while trying to enter it on a Cisco.
I need to think about how to resolve this for future releases. Perhaps we can
tag
each target platform as supporting stateful or non-stateful filtering, and do
the
right thing where possible, and erroring only when the combination of target
and
options will result in an insecure output.
Original comment by watson
on 26 Apr 2010 at 4:22
- Added labels: Priority-High
- Removed labels: Priority-Medium
from capirca.
This patch alone does not seem to resolve the issue. It appears to me that
after
applying the suggested patch, capirca still omits the "-m state --state
ESTABLISHED,RELATED" portion. Additionally, I still believe that only allowing
high
ports is flawed. For instance, take the example of an ntpdate invocation that
originates on source port udp/123 destined for port udp/123. Using the current
implementation in capirca, the reply packet would be dropped :) So, I think
just
removing the HIGH_PORTS designation for iptables rules (at least) is more
accurate.
There is no need to specify the ports since the ESTABLISHED,RELATED terms will
take
care of whatever the initiated ports are automatically.
Thoughts?
Original comment by [email protected]
on 26 Apr 2010 at 8:18
from capirca.
>> So, I think just removing the HIGH_PORTS designation for iptables rules (at
least) is more accurate. There is no need to specify the ports since the
ESTABLISHED,RELATED terms will take care of whatever the initiated ports are
automatically.
The ESTABLISHED,RELATED are only used with stateful filtering. The iptables
generator allows the creation of both stateful (conn_track) as well as
stateless (specify 'nostate' argument in the target:: line).
Original comment by [email protected]
on 12 Jul 2011 at 7:03
from capirca.
Original comment by [email protected]
on 14 Jul 2011 at 7:57
- Changed state: WontFix
from capirca.
Related Issues (20)
- Release new PyPi version HOT 1
- Support for IOSXR IPv6 Object Group ACLs
- Cisco object-group ACLs don't properly render ICMP type and code
- Cisco remarks missing quotes HOT 2
- Indentation is wrong for the return statement HOT 1
- iptables does not generate any rules from protocol:: icmp icmpv6
- Installer doesn't put capirca command in ~/.local/bin HOT 1
- Juniper ethernet-switching for EX or QFX
- Capirca overwrites the tools namespace HOT 1
- Add support in ArubaOS-Switch and AOS-CX-Switch HOT 3
- Add support in HP Advanced ACL
- Add support in Cisco WLC ACL
- ACL with line numbering
- Add a generator for NSX-T HOT 3
- Allow dot in token names
- Implement atomic acl updates on cisco ios
- Add support for MikroTik RouterOS ACLs
- Build is broken on Python 3.8 due to types used in NSX-T plugin HOT 1
- NSX-T plugin generates invalid payload: netblocks including 0.0.0.0/anything, port ranges consisting of one port HOT 2
- Add support for OPNSense
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capirca.