Date: Mon, 01 Jun 2009 10:38:41 -0700 From: Doug Barton <dougb@FreeBSD.org> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: svn-src-head@freebsd.org, max@love2party.net, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r193198 - head/etc/rc.d Message-ID: <4A241221.6090707@FreeBSD.org> In-Reply-To: <20090601062701.C12292@maildrop.int.zabbadoz.net> References: <200906010535.n515Z4qK065272@svn.freebsd.org> <20090601062701.C12292@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Bjoern A. Zeeb wrote: > On Mon, 1 Jun 2009, Doug Barton wrote: > >> Author: dougb Date: Mon Jun 1 05:35:03 2009 New Revision: 193198 >> URL: http://svn.freebsd.org/changeset/base/193198 >> >> Log: Make the pf and ipfw firewalls start before netif, just like >> ipfilter already does. This eliminates a logical inconsistency, >> and a small window where the system is open after the network >> comes up. > > Unfortunetaly this is contrary to a lot of PRs and requests on > mailing lists out there that actually want the netif/network_ipv6 > to be run _before_ things come up. Can you provide links to some of those PRs? I'd love to learn more about this issue. > Espescially pf really needs this to avoid rules that needs to do > per paket lookups of the interface address. Not sure what you mean here. > Further ipfw has a default option being setaable at compile time > and as TUNABLE to handle this window. And what happens if someone sets the default to accept? You could argue that they are knowingly opening a window of vulnerability but I would argue that the right thing to do is to have the firewall rules loaded before the network comes up regardless of the default. That way you avoid both the potential window of vulnerability AND the window of time between the network being loaded and the firewall allowing access to the box. To give a little more history, this patch was discussed and reviewed a while back and someone told me that they would incorporate it into some overall work they were doing to improve the way that rc.d handles networking, so I stopped paying attention to it. Last night a user pointed out to me that another patch that this same person said they would handle never got in, so I reviewed other outstanding work and found that this one had not been done either. Obviously if this change breaks something it will have to be reverted. However from the security standpoint (primary concern) it would seem to be the right thing to do, and the previous rcorder was not logically consistent in any case. Max Laier wrote: > Can you please add a note about this in UPDATING? Yes. I was on the fence about this anyways, so now you've pushed me over. :) > It might be a slight POLA violation for people who rely on the > interfaces being configured to setup the firewall. For instance > when one doesn't use dynamic address rules in pf i.e. "from/to ifX" > instead of "from/to (ifX)". I don't understand what you've written here. It seems to me that if the interfaces are always the same then the firewall rules will be fine, but if they are using dynamic rules it doesn't matter if it starts before or after the network is up. Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A241221.6090707>