From owner-freebsd-bugs Fri Apr 24 11:40:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26944 for freebsd-bugs-outgoing; Fri, 24 Apr 1998 11:40:36 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: (from gnats@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26892; Fri, 24 Apr 1998 11:40:17 -0700 (PDT) (envelope-from gnats) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA24898 for ; Fri, 24 Apr 1998 11:33:43 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id LAA08996 for ; Fri, 24 Apr 1998 11:33:08 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma008987; Fri Apr 24 11:33:06 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id LAA01209; Fri, 24 Apr 1998 11:33:06 -0700 (PDT) Message-Id: <199804241833.LAA01209@bubba.whistle.com> Date: Fri, 24 Apr 1998 11:33:06 -0700 (PDT) From: Archie Cobbs Reply-To: archie@whistle.com To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: conf/6406: Tweak to rc.firewall Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 6406 >Category: conf >Synopsis: Tweak to rc.firewall >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 24 11:40:04 PDT 1998 >Last-Modified: >Originator: Archie Cobbs >Organization: Whistle Communications, Inc. >Release: FreeBSD 2.2.6-RELEASE i386 >Environment: FreeBSD 2.2.6 >Description: /etc/rc.firewall rule needs strengthening The ipfw rule add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 should really be add 1010 deny all from any to 127.0.0.0/8 because someone who set their route to 127.0.0.0/8 via your machine could still connect to your internally bound services as long as their source address was not on the 127/8 network (isn't this the point of this rule?) Also, I renumbered the rules to make sure they are first. >How-To-Repeat: Set up 2 FreeBSD machines. On machine A install these rules. On machine B, disable your lo0 interface and set a route to 127.0.0.0/8 via machine A. Now from machine B you can connect to any internal service on machine A bound to the 127.0.0.1 address. >Fix: Index: rc.firewall =================================================================== RCS file: /cvs/freebsd/src/etc/rc.firewall,v retrieving revision 1.6.2.6 diff -c -r1.6.2.6 rc.firewall *** rc.firewall 1998/02/10 01:45:57 1.6.2.6 --- rc.firewall 1998/04/24 18:29:53 *************** *** 67,74 **** ############ # Only in rare cases do you want to change these rules ! $fwcmd add 1000 pass all from any to any via lo0 ! $fwcmd add 1010 deny all from 127.0.0.0/8 to 127.0.0.0/8 # Prototype setups. --- 67,74 ---- ############ # Only in rare cases do you want to change these rules ! $fwcmd add 100 pass all from any to any via lo0 ! $fwcmd add 200 deny all from any to 127.0.0.0/8 # Prototype setups. >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message