Date: Fri, 30 Jun 2006 14:38:44 +0200 From: Volker <volker@vwsoft.com> To: freebsd-pf@freebsd.org Subject: Re: problem with keyword self Message-ID: <44A51B54.4090908@vwsoft.com> In-Reply-To: <20060630120116.AA95F16A85D@hub.freebsd.org> References: <20060630120116.AA95F16A85D@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2006-06-30, daniel@benzedrine.cx wrote: > "self" always translates to IP addresses at load-time. To re-translate, > you have to re-load the ruleset. > Daniel, a while ago I was experiencing one thing where it can be dangerous to make use of the 'self' keyword. If you're setting up a DSL connection using mpd (I guess it's the same with userland ppp, but have never tried that) the system has got an unconfigured IP interface (xl0 or whatever), where unconfigured means it's up but has an IP address of 0.0.0.0. PPPoE is being done on the interface ng0 for example and this one has an IP address if the connection is up. Now if you're using a rule like 'pass in from any to self' (or something similar) the rule is being translated into 'pass in from 0.0.0.0 to 0.0.0.0' which in turn means 'just pass all traffic unconditionally' and you're having a great wide open firewall (in fact, no firewall at all). I know the example rule is not a real world rule but just image you're having a rule like 'pass in from any to self port 80' to have the http server being reachable. That would let pass traffic to _any_ internal webserver. Sometimes admins are lazy and doing stupid things like that and being not aware of the consequences of a quickly hacked rule. I'm wondering if you're able to check whether and interface has a valid IP address or not before processing rules and skip unconfigured interfaces (or at least do not let them being included when it comes to 'self' rules). IMHO 'self' should never validate to an IP address like 0.0.0.0. Greetings, Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44A51B54.4090908>