Submitted to D8 security bug bounty. Not sure if it's relevant or makes any sense:

Your firewall policy seems to let TCP packets with a specific source port pass through. Some types of requests can pass through the firewall. The port number 80 is the source port that unauthorized users can use to bypass your firewall.

Suggestion to fix: Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port.

I tested on test.myshopify.com and it responded 4 times to 4 TCP SYN probes sent to port 20 using source port 80. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port.

Comments

pwolanin created an issue. See original summary.

nnewton’s picture

That could be a FW miss-configuration, it could also be a few other things However, we do not have anything to do with test.myshopify.com.

Not really a valid report.

-N

nnewton’s picture

So, amusingly. He was somewhat correct in that in reviewing things I did find a few machine where our puppet module had created multi-port rules in places it shouldn't have. Am doing a tree-wide change to how the puppet rules are written. So, while his report wasn't valid for us...it did make me find an issue. So, thanks for opening this.

-N

mlhess’s picture

Status: Active » Closed (outdated)

Closing as outdated.