Date: Sun, 11 Mar 2012 19:09:24 GMT From: Radim Kolar <hsn@sendmail.cz> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/165939: [security bug] incomplete firewall rules loaded if tables are used in ipfw.conf Message-ID: <201203111909.q2BJ9OJh094133@red.freebsd.org> Resent-Message-ID: <201203111910.q2BJAEMO045324@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 165939
>Category: misc
>Synopsis: [security bug] incomplete firewall rules loaded if tables are used in ipfw.conf
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 11 19:10:14 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Radim Kolar
>Release: 8.2 amd64
>Organization:
FILEZ.com
>Environment:
>Description:
If user has tables used in /etc/ipfw.conf for example:
table 1 add 64.6.108.239
then firewall restart:
/etc/rc.d/ipfw start
fails with:
Line 8: setsockopt(IP_FW_TABLE_ADD): File exists
Firewall rules loaded.
and incomplete ruleset is loaded. This is serious security problem.
>How-To-Repeat:
>Fix:
in /etc/rc.firewall
after ${fwcmd} -f flush
you need to flush tables too with command
ipfw table all flush
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203111909.q2BJ9OJh094133>