[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
system/3638: Shortened Addresses in pf are dumb and prone to human error
- To: gnats@openbsd.org
- Subject: system/3638: Shortened Addresses in pf are dumb and prone to human error
- From: beck@bofh.cns.ualberta.ca
- Date: Sun, 18 Jan 2004 19:36:57 -0700 (MST)
- Resent-Date: Sun, 18 Jan 2004 20:10:03 -0700 (MST)
- Resent-From: gnats@cvs.openbsd.org (GNATS Filer)
- Resent-Message-Id: <200401190310.i0J3A3UB025287@cvs.openbsd.org>
- Resent-Reply-To: gnats@cvs.openbsd.org, beck@bofh.cns.ualberta.ca
- Resent-To: bugs@cvs.openbsd.org
>Number: 3638
>Category: system
>Synopsis: Shortened Addresses in pf are dumb and prone to human error
>Confidential: yes
>Severity: serious
>Priority: high
>Responsible: bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jan 19 03:10:01 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Bob Beck
>Release: Current
>Organization:
net
>Environment:
System : OpenBSD 3.4-current
Architecture: all
Machine : all
>Description:
pf's address parsing allowes shortened addresses of the form:
A.B
automatically promoting them to a class B. This is dangerous.
if you accdentaly typo, or accidentally clobber something when editing
a file, you end up with (from a real example)
129.128.55.120
to let one address through your firewall, with a typo becomes
129.128 55.120
and now, in a table pf happliy thinks those are two class B's and
allows
129.128.0.0/16 and 55.120.0.0/16 through your firewall. This sucks.
>How-To-Repeat:
put the above in a table, feed it to pf.
>Fix:
My suggestion? Either disallow shortened addresses entirely, or only
allow them when a mask is specified.
>Release-Note:
>Audit-Trail:
>Unformatted: