Date: Mon, 26 Feb 1996 13:03:06 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: nate@sri.MT.net (Nate Williams) Cc: phk@critter.tfs.com, imb@scgt.oz.au, stable@freebsd.org, current@freebsd.org Subject: Re: -stable hangs at boot (fwd) Message-ID: <199602261903.NAA15710@brasil.moneng.mei.com> In-Reply-To: <199602261540.IAA29287@rocky.sri.MT.net> from "Nate Williams" at Feb 26, 96 08:40:53 am
next in thread | previous in thread | raw e-mail | index | archive | help
> Poul-Henning Kamp writes:
> > > If you ^C your way to a shell prompt, there's a single rule that's in the
> > > firewall list saying "deny all from any to any". Courtesy of the same recent
> > > brain-damage in ipfw(8), you can't delete this rule either ("setsockopt
> > > failed").
> >
> > If you call this "brain-damage" then you quite clearly don't need IPFW.
>
> I understand that it's there to stop a race condition where folks can
> 'get into' the system before the FW rules are brought in. However, ...
THIS can be generally solved by installing the rules before configuring the
interfaces (at least that's how I do it). The disadvantage is that if you
re-install the rules, you probably flush the old ones first, and you leave a
small opening. That is not terrible but the ideal solution would address
it. Argument FOR keeping this "default" rule, IMHO.
> > QED: Setup your filters before anything gets passed.
>
> I can't do this on my box at all. It's a PPP connection, and *all* of
> the filtering is done on my PPP interface, which can vary depending on
> incoming calls. So, by having a default 'global' firewall entry I have
> a couple problems.
That's true.
> 1) There is no established way to have it be on a per-process. This is
> *bad* news for me since my PPP box is also my DNS/router. I can't wait
> for my PPP connection to come up before I add entries, and I want all of
> my local machines to have access to *everything* on my router box.
But your local machines are well known:
ipfw addf pass all from nates.net/24 to nates.router
You can run a script when your PPP link {goes up, comes down} that installs
further firewall entries to deal with your Internet connection, including
correct dynamic addresses, etc.
I'm not clear on what the problem that you perceive is.
> 2) There is no established method for adding IPFW entries in FreeBSD.
> If we are going to make this the default method, I think we need some
> hooks in /etc/netstart added to make this work.
Absolutely!!!!!!!!!!! And BEFORE the interfaces are configured AND
before forwarding is enabled. I simply stuck in "sh /etc/fw", where /etc/fw
is a script that flushes rules and then installs the new ones. We should
probably ship one that cancels out the effect of the "default" rule, but has
several other examples in it. Yes, you heard that right.
In my opinion having the default drop rule is a good idea. It closes some
small windows of opportunity. But it will confuse the hell out of people.
By default we should "undo" the problem in the config file, document it, and
give examples of configurations that offer low risk / no risk firewall
profiles, which users can then uncomment and activate.
> 3) The code -stable is un-documented and incomplete w/regard to
> -current. The documentation in -stable hasn't been updated yet. Here
> is the last entry for the ipfw.8 man-page.
>
> revision 1.7.4.5
> date: 1996/02/23 15:28:38; author: phk; state: Exp; lines: +2 -0
> Make ipfw handle the new kernel stuff. Put notice in man-page that it
> doesn't match reality right now.
> -
> But there have been commits since this time to the man-page, so I'm
> assuming that documentation has been written to document the new
> functionality.
True.
> > Wrt to the rule #65535 "deny all from any to any", then you are correct,
> > you cannot delete it. It represents the default policy of "anything not
> > specifically allowed, is banned.
>
> While I understand why (see above), I still don't think this should be
> the 'global' default behavior. It should be applied on a specific
> interface since every gateway must have 2 interfaces, and only one will
> need the 'block everything' rule.
Yes, but which one? The current setup doesn't worry about it, it assumes
you will open up the interface you want opened. And paranoids like me do
actually firewall both interfaces :-)
> Yes, I understand that I can add a
> 'open up everything' rule on my ethernet, but it'll also be necessary
> for all of my incoming PPP/SLIP connections. Also, how does this affect
> the PPP/SLIP startup code? Can a connection be established with the new
> IPFW code in place?
Sure. I already run the firewall rule config script before starting any
interfaces. That works. (I don't see how it would interfere with a
connection being established anyways, we are firewalling at the protocol
level, not the byte level).
> > If you want to dispute this design, then please find at least one textbook
> > or capacity in the area who agree with you first, that will save a lot of
> > my time.
>
> I will dispute the design in that the current implementation *increases*
> the liklihood of errors due to lack of documentation and flexibility.
> The former may be the cause of the latter, but it's still a great cause
> of concern.
% cat /etc/ipfw.conf
#! /bin/sh -
#
# Default IPFW Rule Configuration File
#
# The kernel has a built in rule that drops all packets. The intention is
# to close any window of opportunity for potential attackers. The following
# rule overrides this until a local firewall policy is implemented.
#
ipfw addf pass all from 0/0 to 0/0
#
# To define a local firewall policy, comment out the above line and insert
# new rules below that define the types of traffic you wish to permit on
# your network. Please note that you will need to understand the ipfw
# syntax, see man ipfw(1). Also note that by commenting out the command
# above, ONLY packets allowed by your declared policy will be allowed to
# pass!
#
# Samples:
# --- Allow incoming SMTP.
# ipfw addf pass tcp from 0/0 to my.net.number.0/bits 25
# --- Allow outbound SMTP.
# ipfw addf pass tcp from my.net.number.0/bits to 0/0 25
# --- Allow outbound telnet.
# ipfw addf pass tcp from my.net.number.0/bits to 0/0 23
# --- Allow ICMP messages (ping and friends).
# ipfw addf pass icmp from 0/0 to 0/0
%
Note I wrote that from memory. Somebody sanity check it, commit it, and
stick
if [ -f /etc/ipfw.conf -a -x /sbin/ipfw ]; then
sh /etc/ipfw.conf
fi
into /etc/rcwhereever and we can be done with this argument :-)
Or we can hash this to a bloody pulp and not make any forward progress.
... Joe
-------------------------------------------------------------------------------
Joe Greco - Systems Administrator jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI 414/546-7968
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602261903.NAA15710>