Date: Thu, 13 May 2021 21:17:30 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255852] pf: set skip on: serious security hole Message-ID: <bug-255852-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255852 Bug ID: 255852 Summary: pf: set skip on: serious security hole Product: Base System Version: 13.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rashey@superbox.pl Once skipped interface cannot be unskipped till pf restart. An oblivious administrators can make a hole in firewall by reloading ruleset without pf restart after network reconfiguration. # ifconfig epair create epair0a # echo "set skip on { lo0, epair }" > /etc/pf.conf # service pf reload Reloading pf rules. # pfctl -vsI No ALTQ support in kernel ALTQ related functions disabled all em0 em1 epair (skip) epair0a (skip) epair0b (skip) lo lo0 (skip) echo "set skip on lo0" > /etc/pf.conf # service pf reload Reloading pf rules. # pfctl -vsI No ALTQ support in kernel ALTQ related functions disabled all em0 em1 epair (skip) epair0a (skip) epair0b (skip) lo lo0 (skip) # service pf restart Disabling pf. Enabling pf. # pfctl -vsI No ALTQ support in kernel ALTQ related functions disabled all em0 em1 epair epair0a epair0b lo lo0 (skip) # freebsd-version 13.0-RELEASE -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255852-227>