From owner-freebsd-ipfw@FreeBSD.ORG  Tue Sep 23 11:14:17 2014
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: ipfw@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 18674CCF;
 Tue, 23 Sep 2014 11:14:17 +0000 (UTC)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id DED1A9EF;
 Tue, 23 Sep 2014 11:14:16 +0000 (UTC)
Received: from Julian-MBP3.local (ppp121-45-249-73.lns20.per2.internode.on.net
 [121.45.249.73]) (authenticated bits=0)
 by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id s8NBEBk2035878
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Tue, 23 Sep 2014 04:14:13 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Message-ID: <542155FB.9020801@freebsd.org>
Date: Tue, 23 Sep 2014 19:14:03 +0800
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Hiroki Sato <hrs@FreeBSD.org>,
 ipfw@FreeBSD.org
Subject: Re: net.inet{,6}.fw.enable in /etc/rc
References: <20140921.145812.325633000583440554.hrs@allbsd.org>
 <542063F3.8080600@yandex.ru>
In-Reply-To: <542063F3.8080600@yandex.ru>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 11:14:17 -0000

On 9/23/14, 2:01 AM, Andrey V. Elsukov wrote:
> On 21.09.2014 09:58, Hiroki Sato wrote:
>> Hi,
>>
>>   I would like your comments about the attached patch to /etc/rc.
>>
>>   The problem I want to fix by this patch is as follows.
>>   net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
>>   kernel module is loaded or statically compiled into a kernel.  And by
>>   default IPFW has only a "deny ip from any to any" rule if it is
>>   compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option.  In this case,
>>   the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
>>   working as described in the patch.
>>
>>   To fix this, the patch turns IPFW off before running rc.d scripts at
>>   boot time, and enables it again in rc.d/ipfw script.
> Hi,
>
> I think this should be configurable, the change can be an unexpected for
> someone.
it does open a window where there is networking but no firewalling.
given that a reboot is remotely detectable. (ping stops responding etc.)
there is a possibility that a targeted attack could include
"use exploit ABC to cause a crash of the target and then strike with
exploit XYZ after target system reboots while the firewall is disabled".

I have not evaluated the danger of this window.