Bug #7103
closed
Security issue regarding traffic shaper created by wizard
0%
Description
So take this into consideration
The default dns resolver settings listen on "all" interfaces.
If I follow the traffic shaper wizard and hoose to have dns traffic on a non default priority then floating rules are created for udp and tcp port 53 to assign the traffic to a queue.
Now these rules are created as match rules meaning they dont actually assign the traffic to a queue, so in this state there is not a security issue but the rules do not perform their intended task which is to move the traffic to the higher priority queue.
To make the rules peform this task they have to be set to pass. However when set to pass, the traffic is also allowed from the internet to the ports, so in this case my unbound dns resolver will now accept connections from the internet.
The solution to both issues is to create the rules as LAN interface rules (outbound rules) not floating rules, set to pass. This will move the traffic to the right queue and will not open the ports on the internet side of the firewall.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Rejected
There is no security issue except the one you made by changing the rules. If there is a problem with the shaper rules, open a ticket about the shaper rules, but don't try to make it sound like a security problem where none exists.