ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0021091ClearOSapp-firewall - Firewallpublic2018-08-14 11:372018-08-14 11:40
ReporterNickH 
Assigned Todsokoloski 
PrioritynormalSeveritytweakReproducibilityalways
StatusassignedResolutionopen 
PlatformOSOS Version
Product Version7.5.0 Updates 
Target Version7.5.0 UpdatesFixed in Version 
Summary0021091: Change to default incoming rule for 169.254.0.0/16 to block new packets only
DescriptionFrom forum post https://www.clearos.com/clearfoundation/social/community/outgoing-connection-to-one-specific-address-does-not-work-even-if-all-outgoing-connections-are-allowed#reply-228511 [^] it looks like various cloud providers are now using 169.254 addresses for instance metadata. See:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html [^]
and
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service. [^]

Can I suggest the default Incoming rule for 169.254.0.0/16 is changed just to block NEW packets by adding "-m state --state NEW" to the rule.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2018-08-14 11:37 NickH New Issue
2018-08-14 11:39 pbaldwin Target Version => 7.5.0 Updates
2018-08-14 11:40 pbaldwin Assigned To => dsokoloski
2018-08-14 11:40 pbaldwin Status new => assigned