From owner-freebsd-stable Mon Jan 28 14:12:11 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 9A46937B404 for ; Mon, 28 Jan 2002 14:12:00 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g0SMBuo20229; Mon, 28 Jan 2002 15:11:56 -0700 (MST) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0SMBrx13118; Mon, 28 Jan 2002 15:11:55 -0700 (MST) (envelope-from imp@village.org) Date: Mon, 28 Jan 2002 15:11:38 -0700 (MST) Message-Id: <20020128.151138.115627568.imp@village.org> To: nate@yogotech.com Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] From: "M. Warner Losh" In-Reply-To: <15445.48617.802871.870971@caddis.yogotech.com> References: <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv> <20020128.135120.11184725.imp@village.org> <15445.48617.802871.870971@caddis.yogotech.com> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm most worried about the case where you have compiled ipfw into the kernel. When you do that, the default is don't route anything. I want to preserve that. Loading ipfw is less secure than having it in the kernel, since there's a window at boot that packets can pass. The problem with ipfw now is that if you don't have the default deny rule, there's a small window where you have packets passed. ipfilter is done much sooner in the boot process, so doesn't appear to suffer from this vulnerability. If possible, we should move ipfw to the same location as ipfilter (I suspect that it isn't there for some reason). We'd also need to change ipfilter rules as well. It doesn't defaults to blocking everything and if you set ipfilter_enable to NO, you get that same behavior. The ipfilter stuff also will blindly try to load the ipfilter rules, even if ipfilter isn't in the kernel and can't be loaded. So leaving that aside for the moment, returning to ipfw stuff. firewall_enable is really firewall_rules_enable at the moment. Looking at the code closely, we see things like: case ${firewall_in_kernel} in 1) ... (indentation <<) case ${firewall_enable} in [Yy][Ee][Ss]) if [ -r "${firewall_script}" ]; then ... elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi ... ;; esac ;; esac My understanding of what I want and what you want, rendered in code excerpt form is: # Initialize IP filtering using ipfw # if /sbin/ipfw -q flush > /dev/null 2>&1; then ipfw_in_kernel=1 else ipfw_in_kernel=0 fi case ${ipfw_enable} in [Yy][Ee][Ss]) if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then ipfw_in_kernel=1 echo 'Kernel firewall module loaded' elif [ "${ipfw_in_kernel}" -eq 0 ]; then echo 'Warning: firewall kernel module failed to load' fi ;; esac case ${ipfw_in_kernel} in 1) ... (indentation <<) case ${ipfw_firewall_enable} in *) if [ -r "${ipfw_script}" ]; then ... elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality,' \ 'but firewall rules are not enabled.' echo ' All ip services are disabled.' fi ... ;; [Nn][oO]) echo 'Warning: kernel has firewall functionality,' \ 'but user disabled it in /etc/rc.conf' echo ' All ip services are ENABLED' sysctl ... # turn off ipfw via sysctl ;; esac Is that right? Forget my old proposal for the moment (and do a s/firewall/ipfw/ on all the current firewall_ variables not specifically mentioned). We'd introduce a ipfw_firewall_enable. /etc/defaults/rc.conf would have: ipfw_enable=no ipfw_firewall_enable=yes Or in less shellese pseudo-code: in-kernel=`ask the kernel if there's ipfw` if !in-kenrel && ipfw_enable == yes load ipfw in-kernel=true endif if in-kenrel if ipfw_firewall_enable == no turn off ipfw else load rules, natd, etc. endif endif ipfw_enable == Load ipfw if it isn't in the kernel. ipfw_firewall_eanble == turn ipfw on/off if it is in the kenrel. Comments? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message