Date: Sun, 20 May 2001 12:35:17 -0700 (PDT) From: jsnader@ix.netcom.com To: freebsd-gnats-submit@FreeBSD.org Subject: kern/27474: Interactive use of user PPP and ipfilter can be insecure Message-ID: <200105201935.f4KJZH926168@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 27474 >Category: kern >Synopsis: Interactive use of user PPP and ipfilter can be insecure >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 20 12:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Jon Snader >Release: 4.2 Release >Organization: >Environment: FreeBSD bsd.jcs.com 4.2-RELEASE FreeBSD 4.2-RELEASE #2: Tue May 15 18:27:34 EDT 2001 jcs@bsd.jcs.com:/usr/src/sys/compile/JCS i386 >Description: This is a follow up on problems Kern/17494 and Kern/25344. When using user PPP with ipfilter, the filter rules are not automatically applied to tunN. This happens because tunN is not created until it is used (Kern/17494), and therefore does not exist when network_pass1 from rc.network is run. As noted in Kern/25344, it is necessary to first start PPP and then reapply the rules with ifp -Fa -f /etc/ipf.rules. Just using ipf -y did not completely work for me (only some of the rules seem to be applied, and in any event it does not help *until* PPP is run, so adding ipf -y to the end of rc.network as suggested in Kern/25344 will not work if the user is starting PPP interactively from the command line. The most serious aspect of this problem is that the user is given no indication of a problem. Even if the user checks the rules right after boot with ipf -io, the rules appear to be installed. Running ipf -V indicates that the filter is running. It is only by starting PPP, running something that invokes one of the rules, and checking with ipf -hio that the user discovers the firewall in completely open. I was surprised that no security bulletin was issued for this problem, and I urge that one be issued to alert PPP/ipfilter users that they may be running an open system. As a side remark, putting the ipf -Fa -f /etc/ipf.rules in the ppp.linkup file does not work if PPP was not started by root. >How-To-Repeat: Enable ipfilter in rc.conf, and reboot. Start PPP and check the rules with ipf -io and ipf -V. Use the network in a way that should cause one of the rules to be invoked. Check with ipf -hio and observe that the rule was not invoked. Reload the rules with ipf -Fa -f /etc/ipf.rules. Again use the network in a way that will cause one of the rules to be invoked, check with ipf -hio and observe that the rules are now being applied. >Fix: Either manually reload the rules after starting PPP for the first time or put the reload in /etc/ppp/ppp.linkup *and* start PPP as root. This means you should probably remove ``allow user'' from ppp.conf. It is only necessary to reload the rules once after PPP has run. They will then be active on subsequent runs (until a reboot, of course). >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105201935.f4KJZH926168>