Date: Fri, 24 Apr 1998 11:33:06 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: conf/6406: Tweak to rc.firewall Message-ID: <199804241833.LAA01209@bubba.whistle.com>
next in thread | raw e-mail | index | archive | help
>Number: 6406 >Category: conf >Synopsis: Tweak to rc.firewall >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 24 11:40:04 PDT 1998 >Last-Modified: >Originator: Archie Cobbs >Organization: Whistle Communications, Inc. >Release: FreeBSD 2.2.6-RELEASE i386 >Environment: FreeBSD 2.2.6 >Description: /etc/rc.firewall rule needs strengthening The ipfw rule add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 should really be add 1010 deny all from any to 127.0.0.0/8 because someone who set their route to 127.0.0.0/8 via your machine could still connect to your internally bound services as long as their source address was not on the 127/8 network (isn't this the point of this rule?) Also, I renumbered the rules to make sure they are first. >How-To-Repeat: Set up 2 FreeBSD machines. On machine A install these rules. On machine B, disable your lo0 interface and set a route to 127.0.0.0/8 via machine A. Now from machine B you can connect to any internal service on machine A bound to the 127.0.0.1 address. >Fix: Index: rc.firewall =================================================================== RCS file: /cvs/freebsd/src/etc/rc.firewall,v retrieving revision 1.6.2.6 diff -c -r1.6.2.6 rc.firewall *** rc.firewall 1998/02/10 01:45:57 1.6.2.6 --- rc.firewall 1998/04/24 18:29:53 *************** *** 67,74 **** ############ # Only in rare cases do you want to change these rules ! $fwcmd add 1000 pass all from any to any via lo0 ! $fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 # Prototype setups. --- 67,74 ---- ############ # Only in rare cases do you want to change these rules ! $fwcmd add 100 pass all from any to any via lo0 ! $fwcmd add 200 deny all from any to 127.0.0.0/8 # Prototype setups. >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804241833.LAA01209>