Date: Sun, 12 Oct 2014 05:02:11 +0900 (JST)
From: Hiroki Sato <hrs@FreeBSD.org>
To: smithi@nimnet.asn.au
Cc: bu7cher@yandex.ru, julian@freebsd.org, ipfw@freebsd.org
Subject: Re: net.inet{,6}.fw.enable in /etc/rc
Message-ID: <20141012.050211.468265599523763400.hrs@allbsd.org>
In-Reply-To: <20141003025830.D48482@sola.nimnet.asn.au>
References: <542155FB.9020801@freebsd.org> <20141002.163913.1611863032602700090.hrs@allbsd.org> <20141003025830.D48482@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
----Security_Multipart0(Sun_Oct_12_05_02_11_2014_491)--
Content-Type: Multipart/Mixed;
boundary="--Next_Part(Sun_Oct_12_05_02_11_2014_591)--"
Content-Transfer-Encoding: 7bit
----Next_Part(Sun_Oct_12_05_02_11_2014_591)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Ian Smith <smithi@nimnet.asn.au> wrote
in <20141003025830.D48482@sola.nimnet.asn.au>:
sm> which rules will be flushed when /etc/rc.d/ipfw runs, but should enable
sm> DHCP to work? I'm not sure whether those rules are exactly correct or
sm> sufficient for DHCP, but principle is to anly allow what's necessary in
sm> the circumstances this addresses, vastly reducing vulnerable window.
sm>
sm> Using such a method, there should be no need to modify rc.d/ipfw?
I created an experimental patch based on an idea installing a minimal
ruleset. Please review the attached patch. rc.d/ipfw0 script to
install such a ruleset is invoked before rc.d/netif. The following
two knobs are added:
$firewall_minimal_rules_enable
Enable/disable installing a minimal ruleset.
$firewall_minimal_ruleset
Ruleset number to be used for the ruleset.
sm> > Does ipfw have rules which depend on interface initialization? If
sm> > not, moving rc.d/ipfw to just before rc.d/netif may be a better idea.
sm>
sm> It can. If using (say) mpd with dialup or ADSL modems, as I do, the
sm> interface - here ng0 - needs to preexist, needing an IP address too.
sm>
sm> I think that by now, many will likely rely on netif preceding ipfw.
AFAICC an IPFW rule for ng0 can be installed before the interface is
created. Do you have a specific rule which is problematic if IPFW
rules are loaded before rc.d/netif runs? I am also using mpd and a
lot of cloned interfaces on my router box but it worked fine.
-- Hiroki
----Next_Part(Sun_Oct_12_05_02_11_2014_591)--
Content-Type: Text/X-Patch; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="rc_ipfw0.20141012-1.diff"
Index: etc/defaults/rc.conf
===================================================================
--- etc/defaults/rc.conf (revision 272887)
+++ etc/defaults/rc.conf (working copy)
@@ -116,6 +116,11 @@
wpa_supplicant_conf_file="/etc/wpa_supplicant.conf"
#
firewall_enable="NO" # Set to YES to enable firewall functionality
+firewall_minimal_rules_enable="YES" # Set to YES to temporarily apply
+ # minimal rules required for interface
+ # initialization before applying the full rules.
+firewall_minimal_ruleset="30" # Ruleset number for minimal rules
+firewall_link_enable="NO" # Set to YES to enable L2 filtering
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
Index: etc/rc.firewall
===================================================================
--- etc/rc.firewall (revision 272887)
+++ etc/rc.firewall (working copy)
@@ -42,6 +42,7 @@
############
# Define the firewall type in /etc/rc.conf. Valid values are:
+# minimal - will allow only packets required for interface initialization
# open - will allow anyone in
# client - will try to protect just this machine
# simple - will try to protect a whole network
@@ -138,8 +139,14 @@
#
${fwcmd} -f flush
-setup_loopback
-setup_ipv6_mandatory
+case ${firewall_type} in
+[Mm][Ii][Nn][Ii][Mm][Aa][Ll])
+;;
+*)
+ setup_loopback
+ setup_ipv6_mandatory
+;;
+esac
############
# Network Address Translation. All packets are passed to natd(8)
@@ -187,6 +194,51 @@
# Prototype setups.
#
case ${firewall_type} in
+[Mm][Ii][Nn][Ii][Mm][Aa][Ll])
+ #
+ # Temporary rule set for network interface initialization.
+ #
+ case $firewall_minimal_ruleset in
+ [0-9]|[12][0-9]|30)
+ # Valid if 0-30.
+ ;;
+ *)
+ warn "Invalid ruleset number: $firewall_minimal_ruleset."
+ false
+ ;;
+ esac
+ $fwcmd -q set disable $firewall_minimal_ruleset
+ $fwcmd -q delete set $firewall_minimal_ruleset
+
+ _set="set $firewall_minimal_ruleset"
+
+ # DHCPv4
+ # DHCPDISCOVER (from 0.0.0.0/32)
+ # DHCPREQUEST (broadcast)
+ $fwcmd -q add 65001 $_set allow udp \
+ from any to 255.255.255.255/32 \
+ mac ff:ff:ff:ff:ff:ff any \
+ src-port 68 dst-port 67 layer2 out
+
+ # DHCPREQUEST (unicast)
+ $fwcmd -q add 65001 $_set allow udp \
+ from any to any \
+ src-port 68 dst-port 67 layer2 out
+
+ # DHCPOFFER, DHCPACK
+ $fwcmd -q add 65001 $_set allow udp \
+ from any to any \
+ src-port 67 dst-port 68 layer2 in
+
+ # TODO: DHCPv6 65002
+
+ # ICMPv6 DAD
+ $fwcmd -q add 65003 $_set allow ipv6-icmp from :: to ff02::/16
+
+ # ICMPv6 link-local communication including ND/NS and RS/RA
+ $fwcmd -q add 65004 $_set allow ipv6-icmp from fe80::/10 to fe80::/10
+ $fwcmd -q add 65004 $_set allow ipv6-icmp from fe80::/10 to ff02::/16
+ ;;
[Oo][Pp][Ee][Nn])
${fwcmd} add 65000 pass all from any to any
;;
Index: etc/rc.d/ipfw
===================================================================
--- etc/rc.d/ipfw (revision 272887)
+++ etc/rc.d/ipfw (working copy)
@@ -31,6 +31,15 @@
if checkyesno firewall_nat_enable; then
required_modules="$required_modules ipfw_nat"
fi
+ if checkyesno firewall_minimal_rules_enable; then
+ # Remove minimum ruleset.
+ /sbin/ipfw delete set $firewall_minimal_ruleset
+ fi
+ if checkyesno firewall_link_enable; then
+ ${SYSCTL_W} net.link.ether.ipfw=1
+ else
+ ${SYSCTL_W} net.link.ether.ipfw=0
+ fi
}
ipfw_start()
Index: etc/rc.d/ipfw0
===================================================================
--- etc/rc.d/ipfw0 (revision 0)
+++ etc/rc.d/ipfw0 (working copy)
@@ -0,0 +1,71 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: ipfw0
+# REQUIRE: FILESYSTEMS
+# BEFORE: netif ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+. /etc/network.subr
+
+name="ipfw0"
+desc="Setup minimal firewall rules required for network interface configuration"
+rcvar="firewall_enable"
+required_modules="ipfw"
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+
+fwcmd="/sbin/ipfw -q"
+
+ipfw0_start()
+{
+ if ! checkyesno firewall_minimal_rules_enable; then
+ return 1
+ fi
+ case $firewall_minimal_ruleset in
+ [0-9]|[12][0-9]|30)
+ # Valid if 0-30.
+ ;;
+ *)
+ warn "Invalid ruleset number: $firewall_minimal_ruleset."
+ return 1
+ ;;
+ esac
+
+ if /bin/sh /etc/rc.firewall minimal; then
+ echo "Minimal IPFW ruleset loaded to set" \
+ "$firewall_minimal_ruleset."
+ else
+ return 1
+ fi
+
+ $fwcmd set enable $firewall_minimal_ruleset
+ # Enable L2 filtering temporarily.
+ ${SYSCTL_W} net.link.ether.ipfw=1 > /dev/null
+
+ # Enable IPFW temporarily. rc.d/ipfw will remove the ruleset.
+ ${SYSCTL_W} -qi net.inet.ip.fw.enable=1 > /dev/null
+ ${SYSCTL_W} -qi net.inet6.ip6.fw.enable=1 > /dev/null
+}
+
+ipfw0_stop()
+{
+
+ $fwcmd delete set $firewall_minimal_ruleset
+}
+
+load_rc_config $name
+case $1 in
+*start)
+ if [ "$(${SYSCTL_N} -iq net.inet.ip.fw.enable)" = 1 ] && \
+ [ "$($fwcmd list 65535)" = "65535 deny ip from any to any" ] && \
+ ! checkyesno firewall_enable; then
+ warn "firewall_enable=\"NO\" can prevent network interface" \
+ "initialization."
+ fi
+;;
+esac
+run_rc_command $*
Property changes on: etc/rc.d/ipfw0
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Index: etc/rc.d/Makefile
===================================================================
--- etc/rc.d/Makefile (revision 272887)
+++ etc/rc.d/Makefile (working copy)
@@ -61,6 +61,7 @@
ip6addrctl \
ipfilter \
ipfs \
+ ipfw0 \
ipfw \
ipmon \
ipnat \
----Next_Part(Sun_Oct_12_05_02_11_2014_591)----
----Security_Multipart0(Sun_Oct_12_05_02_11_2014_491)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlQ5jMMACgkQTyzT2CeTzy0t4gCgvHMIxKo2fhQMZetroavcP4Cd
6bIAn2AyQWVw/MbB42OH0oUKcqIB+/0E
=CSYe
-----END PGP SIGNATURE-----
----Security_Multipart0(Sun_Oct_12_05_02_11_2014_491)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141012.050211.468265599523763400.hrs>