[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: Re: [Fwknop-discuss] client overriding fw-timeout
From: Michael Rash <michael.rash () gmail ! com>
Date: 2016-07-20 1:15:32
Message-ID: CAA9wn8=6QBsjzbJOksbiwCrmfW1vhy5mGMOEEyODnBmveJy=kg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Jul 19, 2016 at 4:10 PM, Jeremiah Rothschild <jeremiah@franz.com>
wrote:
> Hey Michael (and others),
>
Hello Jeremiah,
>
> It seems that fwknop clients are able to override the server
> FW_ACCESS_TIMEOUT setting by providing their own --fw-timeout value. This
> is
> true for both command line versions and fwknop-gui.
>
> Is this intentional? To me, it is a security issue that users can extend
> the firewall rules beyond what I'm trying to enforce.
>
Good catch, yes, users can currently provide their own --fw-timeout value.
For other things like the port itself, the access.conf file can enforce
restrictions, so I suppose we should do this for the timeout value as well.
A new variable MAX_FW_TIMEOUT could be added to make this configurable. The
absolute maximum that fwknopd currently allows is 4194304, but much lower
maximums should be supported too.
I've opened github issue 226 to track this for the next release.
Thanks,
--Mike
>
> Thanks in advance for the feedback!
>
> j
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul \
19, 2016 at 4:10 PM, Jeremiah Rothschild <span dir="ltr"><<a \
href="mailto:jeremiah@franz.com" target="_blank">jeremiah@franz.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hey \
Michael (and others),<br></blockquote><div><br></div><div>Hello Jeremiah,</div><div> \
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<br>
It seems that fwknop clients are able to override the server<br>
FW_ACCESS_TIMEOUT setting by providing their own --fw-timeout value. This is<br>
true for both command line versions and fwknop-gui.<br>
<br>
Is this intentional? To me, it is a security issue that users can extend<br>
the firewall rules beyond what I'm trying to \
enforce.<br></blockquote><div><br></div><div>Good catch, yes, users can currently \
provide their own --fw-timeout value. For other things like the port itself, the \
access.conf file can enforce restrictions, so I suppose we should do this for the \
timeout value as well. A new variable MAX_FW_TIMEOUT could be added to make this \
configurable. The absolute maximum that fwknopd currently allows is 4194304, but much \
lower maximums should be supported too.</div><div><br></div><div>I've opened \
github issue 226 to track this for the next \
release.</div><div><br></div><div>Thanks,</div><div><br></div><div>--Mike</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
<br>
Thanks in advance for the feedback!<br>
<br>j</blockquote><div><br></div><div> <br></div></div>
</div></div>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic