www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Possible security-bug in the CAPTIVE PORTAL!

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Signal a BUG
View previous topic :: View next topic  
Author Message
jjdk



Joined: 10 Feb 2008
Posts: 2
PostPosted: Sun Feb 10, 2008 6:45 pm    Post subject: Possible security-bug in the CAPTIVE PORTAL! Reply with quote
Hi Fulvio

I have been testing Zeroshell this weekend to see if it something we can use at work and i love it(so now I use it at home Very Happy )!
However, i have found the following security-bug:

When changing the firewall policy for the FORWARD rule from “Accept” to “Drop” it do as expected; nothing is getting through the firewall. However I wanted my Captive Portal users to be able to use the following services SMTP, IMCP, HTTP, HTTPS and sip.
So I started to add them as “Accept” rules which works fine, however I soon discovered that I could ping my mail-server and telnet it as well on port 25 regardless of the fact that I wasn't even login through the Captive Portal.
So I decided to change the policy back to “Accept” and everything started to work again; No passing through of any kind unless I was logged in through the Captive Portal.

Can you by any change fix this bug? Laughing


Kind regards
JJ
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 997
PostPosted: Mon Feb 11, 2008 7:04 pm    Post subject: Reply with quote
The firewall rules are processed before of the captive portal ones. Therefore if you use the ACCEPT target, the captive portal is bypassed. The workaround is to create the rules not directly in the FORWARD but in a user defined Chain. This is an example:

Chain FORWARD (policy ACCEPT 160 packets, 62780 bytes)
pkts bytes target prot opt in out source destination
178 63796 allowedproto all -- * * 0.0.0.0/0 0.0.0.0/0
160 62780 CapPort all -- * * 0.0.0.0/0 0.0.0.0/0

Chain allowedproto (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
59 7322 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
101 55458 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
20 1112 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
jjdk



Joined: 10 Feb 2008
Posts: 2
PostPosted: Tue Feb 12, 2008 4:40 pm    Post subject: Reply with quote
Hi Fulvio,

Thanks for your quick response!

I'm having a hard time trying to figure out what exactly I need to do:
I have created an chain called ”captive_portal_forward”(instead of “allowedproto”) and added it to the top of the FORWARD chain, but i can't sew anywhere where i can define the package bytes, nor can I see the “system” chain “CapPort” in the Chain drop down list.


Can you please point me in the right direction, thanks Rolling Eyes
JJ
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> Signal a BUG All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group