Ticket #2573 (assigned enhancement)
Iptables ispCP rules MUST to be added with -A instead -I
|Reported by:||leleobhz||Owned by:||benedikt|
|Priority:||major||Milestone:||ispCP ω 1.1.0|
|Component:||Config Files||Version:||ispCP ω 1.1.0 Beta1|
ispCP register the new ISPCP_INPUT chain in front of every previous firewall rule, taking from admin the power to make changes to firewall.
ispCP isnt a complete firewall system, so the rules it add to iptables just allow connection to server, but without protect - as example from invalid or fragmented packets - even in valid ports. Also, it disables any "NEW state" connection treatment.
Isnt a option to use mangle table, since mangle aims change packets, not accept/reject/drop packets - even when it can do this: This kind of rule is filter responsability and inserting direct accept rules BEFORE all another rules can open too much the server and remove ability of sysadmin to control what happens in allowed services.
- Priority changed from blocker to major
- Type changed from security failure to enhancement
- Component changed from Backend (Engine) to Config Files
- Severity changed from Hard to Easy