Date: Tue, 23 Sep 2014 19:14:03 +0800
From: Julian Elischer <julian@freebsd.org>
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>, Hiroki Sato <hrs@FreeBSD.org>, ipfw@FreeBSD.org
Subject: Re: net.inet{,6}.fw.enable in /etc/rc
Message-ID: <542155FB.9020801@freebsd.org>
In-Reply-To: <542063F3.8080600@yandex.ru>
References: <20140921.145812.325633000583440554.hrs@allbsd.org> <542063F3.8080600@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/23/14, 2:01 AM, Andrey V. Elsukov wrote:
> On 21.09.2014 09:58, Hiroki Sato wrote:
>> Hi,
>>
>> I would like your comments about the attached patch to /etc/rc.
>>
>> The problem I want to fix by this patch is as follows.
>> net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
>> kernel module is loaded or statically compiled into a kernel. And by
>> default IPFW has only a "deny ip from any to any" rule if it is
>> compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case,
>> the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
>> working as described in the patch.
>>
>> To fix this, the patch turns IPFW off before running rc.d scripts at
>> boot time, and enables it again in rc.d/ipfw script.
> Hi,
>
> I think this should be configurable, the change can be an unexpected for
> someone.
it does open a window where there is networking but no firewalling.
given that a reboot is remotely detectable. (ping stops responding etc.)
there is a possibility that a targeted attack could include
"use exploit ABC to cause a crash of the target and then strike with
exploit XYZ after target system reboots while the firewall is disabled".
I have not evaluated the danger of this window.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542155FB.9020801>