From owner-freebsd-arch  Mon Mar  3  7:15:21 2003
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AFA4E37B401; Mon,  3 Mar 2003 07:15:18 -0800 (PST)
Received: from grosbein.pp.ru (www2.svzserv.kemerovo.su [213.184.65.86])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 21CCB43FBD; Mon,  3 Mar 2003 07:15:08 -0800 (PST)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (smmsp@localhost [127.0.0.1])
	by grosbein.pp.ru (8.12.7/8.12.7) with ESMTP id h23FF0W2001180;
	Mon, 3 Mar 2003 22:15:00 +0700 (KRAT)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.12.7/8.12.7/Submit) id h23FBcmB000870;
	Mon, 3 Mar 2003 22:11:38 +0700 (KRAT)
Date: Mon, 3 Mar 2003 22:11:38 +0700 (KRAT)
Message-Id: <200303031511.h23FBcmB000870@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] The influence of /etc/start_ifname on /etc/rc.firewall is obscure and harmfull
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
Cc: arch@freebsd.org
X-send-pr-version: 3.113
X-GNATS-Notify: 
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG


>Submitter-Id:	current-users
>Originator:	Eugene Grosbein
>Organization:	Svyaz Service JSC
>Confidential:	no
>Synopsis:	[PATCH] The influence of /etc/start_ifname on /etc/rc.firewall is obscure and harmfull
>Severity:	serious
>Priority:	low
>Category:	misc
>Class:		change-request
>Release:	FreeBSD 4.8-PRERELEASE i386
>Environment:
System: FreeBSD grosbein.pp.ru 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #2: Sat Mar 1 21:20:16 KRAT 2003 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386

>Description:
	The revision 1.13 of /etc/rc.firewall 5 years ago introduced
	ability of passing firewall_type as $1. This feature is not
	documented in rc(8) man page. Meantime /etc/rc.network
	invokes /etc/rc.firewall using '.' command so /etc/rc.firewall
	will inherit $1.

	rc.network will invoke /etc/start_$ifname using '.' also.
	An unsuspicious administrator may make start_$ifname so that
	it sets positional parameters. /etc/rc.firewall will catch $1
	and ignore firewall_type from /etc/rc.conf. Most probably,
	this will result in a set or rules consisting in
	default rule only that is 'deny from any to any'.
	That's dangerous and might be hard to debug and recover.

>How-To-Repeat:

	Try to use such /etc/start_gre script to assist WCCP:

#!/bin/sh

routers="1.2.3.4 5.6.7.8"   # WCCP-compatible gateways
wccp_int="fxp0"		    # we try not to hardcore our IP
			    # but autosense from /etc/rc.conf

eval set \$interface_$wccp_int	# generally, this is an easy way
my_ip=$2			# to get ip address of interface
				# from /etc/rc.conf

# configure tunnels
for ...

	Documentation nowhere warns that one should not use such constructions.
	So we will have $1="inet" here and rc.firewall will NOT load
	firewall rules if /etc/inet does not exists. That may be harmfull.
	The same applies to the rc.firewall(6) but I did not try it.

>Fix:

	A decision have to be taken. One should correct rc(8)
	to warn administrators or to take some measures.
	For exaple, it's possible to unset positional parameters
	before running /etc/rc.firewall.

	Apply this patch to /etc:

--- rc.network.orig	Mon Mar  3 22:05:32 2003
+++ rc.network	Mon Mar  3 22:00:30 2003
@@ -330,6 +330,7 @@
 		case ${firewall_enable} in
 		[Yy][Ee][Ss])
 			if [ -r "${firewall_script}" ]; then
+				while shift 2>/dev/null; do :; done
 				. "${firewall_script}"
 				echo -n 'Firewall rules loaded, starting divert daemons:'
 
--- rc.network6.orig	Mon Mar  3 22:10:43 2003
+++ rc.network6	Mon Mar  3 22:10:33 2003
@@ -67,6 +67,7 @@
 		case ${ipv6_firewall_enable} in
 		[Yy][Ee][Ss])
 			if [ -r "${ipv6_firewall_script}" ]; then
+				while shift 2>/dev/null; do :; done
 				. "${ipv6_firewall_script}"
 				echo -n 'IPv6 Firewall rules loaded.'
 			elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
 

	OTOH, one may wrap invocation rc.firewall[6] into a function.

Eugene Grosbein


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message