Anonymous | Login | 2024-12-22 00:02 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0000239 | ClearOS | deprecated - ClearOS 5 Protocol Filter | public | 2011-02-18 15:06 | 2012-04-18 19:39 | ||||
Reporter | therevmj | ||||||||
Assigned To | dsokoloski | ||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 5.2-SP1 | ||||||||
Target Version | Fixed in Version | 6.2.0 Beta 2 | |||||||
Summary | 0000239: blocking finger protocol is overly aggressive | ||||||||
Description | If you enable blocking of the finger protocol, many other protocols are also blocked. | ||||||||
Additional Information | The pattern used for blocking the finger protocol (found in /etc/l7-filter/protocols/protocols/finger.pat) is: ^[a-z][a-z0-9\-_]+|login: [\x09-\x0d -~]* name: [\x09-\x0d -~]* Directory: The exceedingly problematic portion is: ^[a-z][a-z0-9\-_]+ Given the fact that the l7 filters are case insensitive, this meas that any protocal that sends packets that start out with a letter followed by at least one letter, number, -, or _ will match. I can only say for certain that http traffic is blocked when this rule is enabled, others should be affected as well (ssh because the banner starts out with 'SSH'). This rule either needs to be restricted to the default finger port of 79, or the pattern needs to be modified such that it does not block http and ssh protocols. Unfortunately, I am not familiar enough with the finger protocol to provide any recommendations in regards to possible pattern modifications. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | finger.txt [^] (1,891 bytes) 2011-10-27 15:03 [Show Content] | ||||||||
Notes | |
(0000384) dsokoloski (developer) 2011-10-27 15:10 |
Unfortunately l7-filter does not combine content matching with protocol details such as source or destination address/port. The finger protocol pattern is already listed as under and over-matching. Due to the nature of the protocol (See http://tools.ietf.org/html/rfc1288 [^]), there is no easy way to block this protocol using pattern matching. It's recommended to add a blocking firewall rule for TCP traffic on port 79 rather than use this pattern. However, I have updated the pattern to also require a match on 0x0d 0x0a at the end of the login name. This will improve the accuracy slightly and reduce over-matches for some protocols (SSH, HTTP headers), but will still over-match for any string that contains a-z + a-z0-9-_ and ends with CRLF. |
Issue History | |||
Date Modified | Username | Field | Change |
2011-02-18 15:06 | therevmj | New Issue | |
2011-03-02 15:45 | user2 | Status | new => confirmed |
2011-10-24 14:27 | user2 | Status | confirmed => assigned |
2011-10-24 14:27 | user2 | Assigned To | => dsokoloski |
2011-10-27 15:03 | dsokoloski | File Added: finger.txt | |
2011-10-27 15:10 | dsokoloski | Note Added: 0000384 | |
2011-10-27 15:11 | dsokoloski | Status | assigned => resolved |
2011-10-27 15:11 | dsokoloski | Resolution | open => fixed |
2011-10-27 15:11 | dsokoloski | Fixed in Version | => 6.1 Beta 2 |
2012-04-18 19:39 | user2 | Status | resolved => closed |
2018-01-15 16:31 | user2 | Category | app-protocol-filter - Protocol Filter Manager => app-protocol-filter - ClearOS 5 |
2018-01-15 16:32 | user2 | Category | app-protocol-filter - ClearOS 5 => deprecated - ClearOS 5 Protocol Filter |