Date: Mon, 28 Jan 2002 15:11:38 -0700 (MST) From: "M. Warner Losh" <imp@village.org> To: nate@yogotech.com Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <20020128.151138.115627568.imp@village.org> In-Reply-To: <15445.48617.802871.870971@caddis.yogotech.com> References: <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv> <20020128.135120.11184725.imp@village.org> <15445.48617.802871.870971@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm most worried about the case where you have compiled ipfw into the
kernel. When you do that, the default is don't route anything. I
want to preserve that.
Loading ipfw is less secure than having it in the kernel, since
there's a window at boot that packets can pass. The problem with ipfw
now is that if you don't have the default deny rule, there's a small
window where you have packets passed. ipfilter is done much sooner in
the boot process, so doesn't appear to suffer from this
vulnerability. If possible, we should move ipfw to the same location
as ipfilter (I suspect that it isn't there for some reason).
We'd also need to change ipfilter rules as well. It doesn't defaults
to blocking everything and if you set ipfilter_enable to NO, you get
that same behavior.
The ipfilter stuff also will blindly try to load the ipfilter rules,
even if ipfilter isn't in the kernel and can't be loaded.
So leaving that aside for the moment, returning to ipfw stuff.
firewall_enable is really firewall_rules_enable at the moment.
Looking at the code closely, we see things like:
case ${firewall_in_kernel} in
1)
... (indentation <<)
case ${firewall_enable} in
[Yy][Ee][Ss])
if [ -r "${firewall_script}" ]; then
...
elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
echo 'Warning: kernel has firewall functionality,' \
'but firewall rules are not enabled.'
echo ' All ip services are disabled.'
fi
...
;;
esac
;;
esac
My understanding of what I want and what you want, rendered in code
excerpt form is:
# Initialize IP filtering using ipfw
#
if /sbin/ipfw -q flush > /dev/null 2>&1; then
ipfw_in_kernel=1
else
ipfw_in_kernel=0
fi
case ${ipfw_enable} in
[Yy][Ee][Ss])
if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then
ipfw_in_kernel=1
echo 'Kernel firewall module loaded'
elif [ "${ipfw_in_kernel}" -eq 0 ]; then
echo 'Warning: firewall kernel module failed to load'
fi
;;
esac
case ${ipfw_in_kernel} in
1)
... (indentation <<)
case ${ipfw_firewall_enable} in
*)
if [ -r "${ipfw_script}" ]; then
...
elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
echo 'Warning: kernel has firewall functionality,' \
'but firewall rules are not enabled.'
echo ' All ip services are disabled.'
fi
...
;;
[Nn][oO])
echo 'Warning: kernel has firewall functionality,' \
'but user disabled it in /etc/rc.conf'
echo ' All ip services are ENABLED'
sysctl ... # turn off ipfw via sysctl
;;
esac
Is that right? Forget my old proposal for the moment (and do a
s/firewall/ipfw/ on all the current firewall_ variables not
specifically mentioned). We'd introduce a ipfw_firewall_enable.
/etc/defaults/rc.conf would have:
ipfw_enable=no
ipfw_firewall_enable=yes
Or in less shellese pseudo-code:
in-kernel=`ask the kernel if there's ipfw`
if !in-kenrel && ipfw_enable == yes
load ipfw
in-kernel=true
endif
if in-kenrel
if ipfw_firewall_enable == no
turn off ipfw
else
load rules, natd, etc.
endif
endif
ipfw_enable == Load ipfw if it isn't in the kernel.
ipfw_firewall_eanble == turn ipfw on/off if it is in the kenrel.
Comments?
Warner
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128.151138.115627568.imp>