ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0021091ClearOSapp-firewall - Firewallpublic2018-08-14 11:372019-07-11 05:29
ReporterNickH 
Assigned Todsokoloski 
PrioritynormalSeveritytweakReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.5.0 Updates 
Target Version7.6.0Fixed in Version7.6.0 
Summary0021091: Change to default incoming rule for 169.254.0.0/16 to block new packets only
DescriptionFrom forum post https://www.clearos.com/clearfoundation/social/community/outgoing-connection-to-one-specific-address-does-not-work-even-if-all-outgoing-connections-are-allowed#reply-228511 [^] it looks like various cloud providers are now using 169.254 addresses for instance metadata. See:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html [^]
and
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service. [^]

Can I suggest the default Incoming rule for 169.254.0.0/16 is changed just to block NEW packets by adding "-m state --state NEW" to the rule.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2018-08-14 11:37NickHNew Issue
2018-08-14 11:39user2Target Version => 7.5.0 Updates
2018-08-14 11:40user2Assigned To => dsokoloski
2018-08-14 11:40user2Statusnew => assigned
2018-10-30 18:11user2Target Version7.5.0 Updates => 7.6.0 Updates
2018-11-01 06:47NickHNote Added: 0008441
2018-11-20 11:52dsokoloskiStatusassigned => resolved
2018-11-20 11:52dsokoloskiResolutionopen => fixed
2018-11-20 11:52dsokoloskiFixed in Version => 7.6.0
2018-11-20 11:52dsokoloskiTarget Version7.6.0 Updates => 7.6.0
2019-07-11 05:29NickHStatusresolved => closed

Notes
(0008441)
NickH   
2018-11-01 06:47   
Big dawning here. The firewall will block new packets anyway. Just remove the rule.