ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000239ClearOSdeprecated - ClearOS 5 Protocol Filterpublic2011-02-18 15:062012-04-18 19:39
Reportertherevmj 
Assigned Todsokoloski 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version5.2-SP1 
Target VersionFixed in Version6.2.0 Beta 2 
Summary0000239: blocking finger protocol is overly aggressive
DescriptionIf you enable blocking of the finger protocol, many other protocols are also blocked.
Additional InformationThe pattern used for blocking the finger protocol (found in /etc/l7-filter/protocols/protocols/finger.pat) is:
   ^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory:

The exceedingly problematic portion is:
    ^[a-z][a-z0-9\-_]+

Given the fact that the l7 filters are case insensitive, this meas that any protocal that sends packets that start out with a letter followed by at least one letter, number, -, or _ will match.

I can only say for certain that http traffic is blocked when this rule is enabled, others should be affected as well (ssh because the banner starts out with 'SSH').

This rule either needs to be restricted to the default finger port of 79, or the pattern needs to be modified such that it does not block http and ssh protocols.

Unfortunately, I am not familiar enough with the finger protocol to provide any recommendations in regards to possible pattern modifications.
TagsNo tags attached.
Attached Filestxt file icon finger.txt [^] (1,891 bytes) 2011-10-27 15:03 [Show Content]

- Relationships

-  Notes
(0000384)
dsokoloski (developer)
2011-10-27 15:10

Unfortunately l7-filter does not combine content matching with protocol details such as source or destination address/port. The finger protocol pattern is already listed as under and over-matching. Due to the nature of the protocol (See http://tools.ietf.org/html/rfc1288 [^]), there is no easy way to block this protocol using pattern matching. It's recommended to add a blocking firewall rule for TCP traffic on port 79 rather than use this pattern.

However, I have updated the pattern to also require a match on 0x0d 0x0a at the end of the login name. This will improve the accuracy slightly and reduce over-matches for some protocols (SSH, HTTP headers), but will still over-match for any string that contains a-z + a-z0-9-_ and ends with CRLF.

- Issue History
Date Modified Username Field Change
2011-02-18 15:06 therevmj New Issue
2011-03-02 15:45 user2 Status new => confirmed
2011-10-24 14:27 user2 Status confirmed => assigned
2011-10-24 14:27 user2 Assigned To => dsokoloski
2011-10-27 15:03 dsokoloski File Added: finger.txt
2011-10-27 15:10 dsokoloski Note Added: 0000384
2011-10-27 15:11 dsokoloski Status assigned => resolved
2011-10-27 15:11 dsokoloski Resolution open => fixed
2011-10-27 15:11 dsokoloski Fixed in Version => 6.1 Beta 2
2012-04-18 19:39 user2 Status resolved => closed
2018-01-15 16:31 user2 Category app-protocol-filter - Protocol Filter Manager => app-protocol-filter - ClearOS 5
2018-01-15 16:32 user2 Category app-protocol-filter - ClearOS 5 => deprecated - ClearOS 5 Protocol Filter