ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0021091ClearOSapp-firewall - Firewallpublic2018-08-14 11:372018-11-20 11:52
ReporterNickH 
Assigned Todsokoloski 
PrioritynormalSeveritytweakReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version7.5.0 Updates 
Target Version7.6.0Fixed in Version7.6.0 
Summary0021091: Change to default incoming rule for 169.254.0.0/16 to block new packets only
DescriptionFrom forum post https://www.clearos.com/clearfoundation/social/community/outgoing-connection-to-one-specific-address-does-not-work-even-if-all-outgoing-connections-are-allowed#reply-228511 [^] it looks like various cloud providers are now using 169.254 addresses for instance metadata. See:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html [^]
and
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service. [^]

Can I suggest the default Incoming rule for 169.254.0.0/16 is changed just to block NEW packets by adding "-m state --state NEW" to the rule.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0008441)
NickH (developer)
2018-11-01 06:47

Big dawning here. The firewall will block new packets anyway. Just remove the rule.

- Issue History
Date Modified Username Field Change
2018-08-14 11:37 NickH New Issue
2018-08-14 11:39 pbaldwin Target Version => 7.5.0 Updates
2018-08-14 11:40 pbaldwin Assigned To => dsokoloski
2018-08-14 11:40 pbaldwin Status new => assigned
2018-10-30 18:11 pbaldwin Target Version 7.5.0 Updates => 7.6.0 Updates
2018-11-01 06:47 NickH Note Added: 0008441
2018-11-20 11:52 dsokoloski Status assigned => resolved
2018-11-20 11:52 dsokoloski Resolution open => fixed
2018-11-20 11:52 dsokoloski Fixed in Version => 7.6.0
2018-11-20 11:52 dsokoloski Target Version 7.6.0 Updates => 7.6.0