Date: Sun, 13 Mar 2005 14:49:18 +0100 (CET) From: Andrea Venturoli <freebsd@netfenece.it> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/78785: [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely Message-ID: <200503131349.j2DDnIZY018239@soth.ventu> Resent-Message-ID: <200503131400.j2DE07rt012621@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 78785 >Category: bin >Synopsis: [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Mar 13 14:00:06 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Andrea Venturoli >Release: FreeBSD 5.3-RELEASE-p5 i386 >Organization: NetFence >Environment: System: FreeBSD soth.ventu 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #1: Mon Feb 28 00:34:36 CET 2005 root@soth.ventu:/usr/obj/usr/src/sys/SOTH i386 >Description: Running "sh /etc/rc.firewall" remotely (e.g. over ssh) locks the machine out if a preprocessor is used. First, rules are flushed, then they should be reloaded, but -p option outputs "command is ..." even if -q option is used. This result in session disconnection *before* rules are actually reloaded, so only the default deny will be there. It is then oviously impossible to login again. Notice that using screen (from the port tree) is a viable workaround, when no console access is possible. 4.x machines are not affected, unless ipfw2 is used instead of ipfw; all 5.x and later boxes use ipfw2, so should exhibit this problem, though I can only confirm this for 5.3. >How-To-Repeat: (Be sure either to have console access or to schedule a reboot before you begin). Put the following line in /etc/rc.conf: firewall_flags="-q -p /usr/bin/somepreprocessor" Login remotely and issue "sh /etc/rc.firewall". >Fix: As said above, use /usr/ports/misc/screen. Alternatively, here is a patch for /usr/src/sbin/ipfw/ipfw2.c (this is for 5.3p5 (ipfw2.c,v 1.54.2.3), but so simple that it should not be difficult to adapt it to newer revisions): 4031c4031,4032 < fprintf(stderr, "command is %s\n", av[0]); --- > if (!do_quiet) > fprintf(stderr, "command is %s\n", av[0]); You will need to specify -q *before* -p. (This again would not too be difficult to fix). >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503131349.j2DDnIZY018239>