Date: Mon, 3 Mar 2003 22:11:38 +0700 (KRAT) From: Eugene Grosbein <eugen@grosbein.pp.ru> To: FreeBSD-gnats-submit@freebsd.org Cc: arch@freebsd.org Subject: [PATCH] The influence of /etc/start_ifname on /etc/rc.firewall is obscure and harmfull Message-ID: <200303031511.h23FBcmB000870@grosbein.pp.ru>
next in thread | raw e-mail | index | archive | help
>Submitter-Id: current-users
>Originator: Eugene Grosbein
>Organization: Svyaz Service JSC
>Confidential: no
>Synopsis: [PATCH] The influence of /etc/start_ifname on /etc/rc.firewall is obscure and harmfull
>Severity: serious
>Priority: low
>Category: misc
>Class: change-request
>Release: FreeBSD 4.8-PRERELEASE i386
>Environment:
System: FreeBSD grosbein.pp.ru 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #2: Sat Mar 1 21:20:16 KRAT 2003 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386
>Description:
The revision 1.13 of /etc/rc.firewall 5 years ago introduced
ability of passing firewall_type as $1. This feature is not
documented in rc(8) man page. Meantime /etc/rc.network
invokes /etc/rc.firewall using '.' command so /etc/rc.firewall
will inherit $1.
rc.network will invoke /etc/start_$ifname using '.' also.
An unsuspicious administrator may make start_$ifname so that
it sets positional parameters. /etc/rc.firewall will catch $1
and ignore firewall_type from /etc/rc.conf. Most probably,
this will result in a set or rules consisting in
default rule only that is 'deny from any to any'.
That's dangerous and might be hard to debug and recover.
>How-To-Repeat:
Try to use such /etc/start_gre script to assist WCCP:
#!/bin/sh
routers="1.2.3.4 5.6.7.8" # WCCP-compatible gateways
wccp_int="fxp0" # we try not to hardcore our IP
# but autosense from /etc/rc.conf
eval set \$interface_$wccp_int # generally, this is an easy way
my_ip=$2 # to get ip address of interface
# from /etc/rc.conf
# configure tunnels
for ...
Documentation nowhere warns that one should not use such constructions.
So we will have $1="inet" here and rc.firewall will NOT load
firewall rules if /etc/inet does not exists. That may be harmfull.
The same applies to the rc.firewall(6) but I did not try it.
>Fix:
A decision have to be taken. One should correct rc(8)
to warn administrators or to take some measures.
For exaple, it's possible to unset positional parameters
before running /etc/rc.firewall.
Apply this patch to /etc:
--- rc.network.orig Mon Mar 3 22:05:32 2003
+++ rc.network Mon Mar 3 22:00:30 2003
@@ -330,6 +330,7 @@
case ${firewall_enable} in
[Yy][Ee][Ss])
if [ -r "${firewall_script}" ]; then
+ while shift 2>/dev/null; do :; done
. "${firewall_script}"
echo -n 'Firewall rules loaded, starting divert daemons:'
--- rc.network6.orig Mon Mar 3 22:10:43 2003
+++ rc.network6 Mon Mar 3 22:10:33 2003
@@ -67,6 +67,7 @@
case ${ipv6_firewall_enable} in
[Yy][Ee][Ss])
if [ -r "${ipv6_firewall_script}" ]; then
+ while shift 2>/dev/null; do :; done
. "${ipv6_firewall_script}"
echo -n 'IPv6 Firewall rules loaded.'
elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
OTOH, one may wrap invocation rc.firewall[6] into a function.
Eugene Grosbein
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303031511.h23FBcmB000870>