Home page logo
/

bugtraq logo Bugtraq mailing list archives

IBM AIX Packet Filter module
From: brummie () SECURE I1 NET (Brumbles)
Date: Mon, 25 Oct 1999 14:45:19 -0500


I have tried unsuccessfully to get any response from IBM on the following,
apparently unless you have a support contract you cant report bugs..
(well.. you can.. "Program Services", but thats a link to /dev/null
apparently.)

AixLevel AIX4.3.2
Packet Filtering Module, in particular the command genfilt does not allow
the addition of filters with port numbers greater than 32767

genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 \
-c udp -o any -O eq  -P 123 -l n -w I -i all

Works fine... but...

genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c udp \
-o any -O eq  -P 32768 -l n -w I -i all

Fails with:
Bad destination port/ICMP type "32768".

All is well if you use port 32767.

Simply put, the -P (port) parameter will not accept an argument greater
than 32767.

Obviously there are a lot of things above 32768 that you might want to filter,
e.g. rstatd. and other RPC programs, and also if I wanted to ensure that
my users arent opening up any services that sit on high ports, they can
circumvent any protection I layer on top by starting their service above
32767!

As the AIX4.3.2 packet filtering module is based upon the commercial IBM
firewall, I would be very interested to see if this weakness also exists
in that product.

I believe this opens up a security problem for anyone using the AIX
filtering that wants to continue using RPC on an internal interface, but
wishes to present only certain ports to an external side.

Thanks,
Brum.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault