Date: Fri, 17 Dec 2010 16:21:39 GMT From: Alexander Verbod <AlexJ@freebsd.forum> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/153252: [ipfw][patch] ipfw lockdown system in subsequent call of "/etc/rc.d/ipfw start" Message-ID: <201012171621.oBHGLdsP040973@red.freebsd.org> Resent-Message-ID: <201012171630.oBHGUEjj020094@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 153252
>Category: bin
>Synopsis: [ipfw][patch] ipfw lockdown system in subsequent call of "/etc/rc.d/ipfw start"
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 17 16:30:14 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Alexander Verbod
>Release: 8.1-RELEASE
>Organization:
>Environment:
FreeBSD test.private.local 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
1. Firewall lock-down system if script "/etc/rc.d/ipfw start" called twice.
2. "sysctl" utility inside "/etc/rc.d/ipfw" script used without full path
prefix that cause error in case if PATH environment variable contain path
to current directory "./" and script called from directory "/etc/rc.d"
3. /etc/rc.d/ipfw script always add "/etc/rc.d/natd" to "firewall_coscripts"
variable regardless if "natd" was enabled in rc.conf or not.
>How-To-Repeat:
Add to "/etc/rc.conf" following strings:
#=====================
firewall_enable='YES'
firewall_type='OPEN'
firewall_logging='YES'
firewall_quiet='NO'
firewall_nat_enable='NO'
natd_enable='NO'
dummynet_enable='NO'
#=====================
then start firewall:
/etc/rc.d/ipfw start
second attempt to run
/etc/rc.d/ipfw start
will lock-down system
>Fix:
Attached patch will fix all three issues
Patch attached with submission follows:
*** ipfw.orig 2010-07-31 18:52:54.000000000 -0400
--- ipfw 2010-12-17 10:02:54.000000000 -0500
***************
*** 39,45 ****
--- 39,56 ----
_firewall_type=$1
+ # check if firewall already running to prevent subsequent start calls
+ #
+ [ $( ${SYSCTL_N} net.inet.ip.fw.enable ) -ne 0 ] && {
+ warn 'Firewall is already running.';
+ _ipfw_running_status=1;
+ return 1;
+ } || {
+ _ipfw_running_status=0;
+ }
+
# set the firewall rules script if none was specified
+ #
[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
if [ -r "${firewall_script}" ]; then
***************
*** 55,61 ****
#
if checkyesno firewall_logging; then
echo 'Firewall logging enabled.'
! sysctl net.inet.ip.fw.verbose=1 >/dev/null
fi
}
--- 66,72 ----
#
if checkyesno firewall_logging; then
echo 'Firewall logging enabled.'
! ${SYSCTL_W} net.inet.ip.fw.verbose=1 >/dev/null
fi
}
***************
*** 63,72 ****
{
local _coscript
# Start firewall coscripts
#
for _coscript in ${firewall_coscripts} ; do
! if [ -f "${_coscript}" ]; then
${_coscript} quietstart
fi
done
--- 74,89 ----
{
local _coscript
+ # stop proccessing if firewall is already running
+ #
+ [ ${_ipfw_running_status} -eq 1 ] && {
+ return 1;
+ }
+
# Start firewall coscripts
#
for _coscript in ${firewall_coscripts} ; do
! if [ -f "${_coscript}" -a -x "${_coscript}" ]; then
${_coscript} quietstart
fi
done
***************
*** 98,110 ****
# Stop firewall coscripts
#
for _coscript in `reverse_list ${firewall_coscripts}` ; do
! if [ -f "${_coscript}" ]; then
${_coscript} quietstop
fi
done
}
load_rc_config $name
! firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
run_rc_command $*
--- 115,132 ----
# Stop firewall coscripts
#
for _coscript in `reverse_list ${firewall_coscripts}` ; do
! if [ -f "${_coscript}" -a -x "${_coscript}" ]; then
${_coscript} quietstop
fi
done
}
load_rc_config $name
!
! if checkyesno firewall_nat_enable; then
! firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
! elif checkyesno natd_enable; then
! firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
! fi
run_rc_command $*
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012171621.oBHGLdsP040973>