[Design] Kernel-based BMC firewall
Andrew Jeffery
andrew at aj.id.au
Fri May 24 11:05:05 AEST 2019
On Fri, 24 May 2019, at 07:10, Joseph Reynolds wrote:
> On 2019-03-04 10:14, Ed Tanous wrote:
> > On 3/1/19 1:31 PM, Joseph Reynolds wrote:
> >> ## Problem Description
> >>
> >> OpenBMC needs an integral firewall to monitor and control its IP
> >> traffic.
> >
> > Why? I believe this needs more details here on why the current
> > solution
> > is inadequate. If some document/security policy is driving this, we
> > should reference that here as well. There _must_ be a standard or
> > authority for network security that we can reference rather than
> > creating our own.
> >
> > I would like to see the problem description be a lot longer than 1
> > sentence given how long the requirements section is.
>
>
> Ed and Andrew,
>
> Thanks for your email. Based partly on your input, I’m dropping
> requirements which can be solved in better ways. The remaining
> requirement is blocking ICMP packet types 13 and 14 (timestamp
> requests). If this can be done without using a firewall, then I don’t
> see a need for a firewall at all.
>
> Here are the requirements my previous design attempted to address, with
> updated ideas about what the firewall should do.
>
> - Block specific ICMP packets: Block ICMP packets of type 13 or 14
> and/or code 0 per https://nvd.nist.gov/vuln/detail/CVE-1999-0524. Given
> this is rated as LOW severity, I wonder if it is worth pursuing.
> Alternatively, can the Linux kernel be configured to not respond to
> these packets?
>
There's no mechanism in the kernel to configure out ICMP timestamp
support, or any sysctl knob to turn it off at runtime. As it stands the
only approach to avoid responding is to patch the kernel or use netfilter
(a firewall) to drop the packets.
Andrew
More information about the openbmc
mailing list