Date: Mon, 17 Nov 1997 03:06:31 -0800 (PST) From: Studded@dal.net To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/5068: Patches for ipfw "default allow" choice in -Stable Message-ID: <199711171106.DAA06211@dt5h1n61.san.rr.com> Resent-Message-ID: <199711171110.DAA03065@hub.freebsd.org>
index | next in thread | raw e-mail
>Number: 5068
>Category: kern
>Synopsis: Patches to import the IPFIREWALL_DEFAULT_TO_ACCEPT option from -Current
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 17 03:10:01 PST 1997
>Last-Modified:
>Originator: Studded@dal.net
>Organization:
Just me
>Release: FreeBSD 2.2-971111-SNAP i386
>Environment:
Any -Stable system with ipfw
>Description:
After long discussions with Alex Nash regarding my long battle to
allow some flexibility in the default ipfw setup, I determined that the
best option would be to back port the IPFIREWALL_DEFAULT_TO_ACCEPT option
from -Current. Many many thanks to Alex for his patience and advice. I
of course take all blame for what I'm sending here.
>How-To-Repeat:
Build and use ipfw
>Fix:
Enclosed below are diff's to version 1.51.2.5 of
/usr/src/sys/netinet/ip_fw.c, and 1.286.2.33 of LINT. To get the diff for
LINT, I just copied the stuff exactly from the -Current LINT file. The
patch for ip_fw.c is a diff between the version in -Current (1.65) and the
one in -Stable, minus the malloc and divert changes.
I made two small improvements. The first is just a spelling change
on the line in LINT that has the actual option, default instead of defalt.
The other is the addition of a printf which states that the default rule
is closed, similar to the change made in current to show that the default
rule is open if the option is selected.
I've built and used kernels both with and without the option, and
both work as expected. I think this small change would be of tremendous
benefit to the users of -Stable.
Thanks,
Doug
--- LINT.Dist Sat Nov 15 21:33:51 1997
+++ LINT Sat Nov 15 22:36:51 1997
@@ -333,6 +333,21 @@
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
+# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
+# and if you do not add other rules during startup to allow access,
+# YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall=open
+# in /etc/rc.conf when first enabling this feature, then refining the
+# firewall rules in /etc/rc.firewall after you've tested that the new kernel
+# feature works properly.
+#
+# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
+# allow everything. Use with care, if a cracker can crash your
+# firewall machine, they can get to your protected machines. However,
+# if you are using it as an as-needed filter for specific problems as
+# they arise, then this may be for you. Changing the default to 'allow'
+# means that you won't get stuck if the kernel and /sbin/ipfw binary get
+# out of sync.
+#
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''
#
# TCPDEBUG is undocumented.
@@ -343,6 +358,7 @@
options IPFIREWALL_VERBOSE #print information about
# dropped packets
options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
+options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPDIVERT #divert sockets
options TCPDEBUG
--- ip_fw.c.Dist Sat Nov 15 21:07:55 1997
+++ ip_fw.c Sat Nov 15 22:06:10 1997
@@ -938,18 +938,23 @@
void
ip_fw_init(void)
{
- struct ip_fw deny;
+ struct ip_fw default_rule;
ip_fw_chk_ptr = ip_fw_chk;
ip_fw_ctl_ptr = ip_fw_ctl;
LIST_INIT(&ip_fw_chain);
- bzero(&deny, sizeof deny);
- deny.fw_prot = IPPROTO_IP;
- deny.fw_number = (u_short)-1;
- deny.fw_flg |= IP_FW_F_DENY;
- deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
- if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny))
+ bzero(&default_rule, sizeof default_rule);
+ default_rule.fw_prot = IPPROTO_IP;
+ default_rule.fw_number = (u_short)-1;
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+ default_rule.fw_flg |= IP_FW_F_ACCEPT;
+#else
+ default_rule.fw_flg |= IP_FW_F_DENY;
+#endif
+ default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
+ if (check_ipfw_struct(&default_rule) == NULL ||
+ add_entry(&ip_fw_chain, &default_rule))
panic(__FUNCTION__);
printf("IP packet filtering initialized, "
@@ -957,6 +962,11 @@
"divert enabled, ");
#else
"divert disabled, ");
+#endif
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+ printf("default to accept, ");
+#else
+ printf("default to deny, ");
#endif
#ifndef IPFIREWALL_VERBOSE
printf("logging disabled\n");
>Audit-Trail:
>Unformatted:
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711171106.DAA06211>