Allowing too much - what a fool!

faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Allowing too much - what a fool!

Unread post by faris »

I just discovered that through a slip up, a machine that I thought was locked down was wide open.

For the purposes of this, pretend that our network range is 1.1.1.128/26

We have a set of hardware nodes, each running a number of virtual machines each with their own IP addresses. We use APF as a firewall script on the VMs.


On one of the virtual machines - lets say 1.1.1.150, I had set a firewall rule to allow, both as a source and destination IP, 1.1.1.128/26 for both incoming and outgoing packets. The idea was to make sure all the systems within the network could communicate with .150 without any problems.

This was done by adding "1.1.1.128/26" in APF's allow_host.rules file.

Haha! What a fool!

The point here is that 1.1.1.128/26 includes .150, and by not being specific about what I wanted to allow (e.g. I should have just allowed 1.1.1.128/26 as a source address by using s=1.1.1.128/26 in allow_host.rules), I was basically saying allow all from all for .150 (the machine I was trying to protect).

Stupid, stupid, stupid :-)

Luckily no harm was done. But it could have been very different! This is actually the second time I've done this too. You'd think I'd have learned from the first time!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply