From owner-freebsd-pf@FreeBSD.ORG Fri Jun 30 12:38:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4985116A403 for ; Fri, 30 Jun 2006 12:38:35 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.ipactive.de [85.214.39.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id A466543D48 for ; Fri, 30 Jun 2006 12:38:34 +0000 (GMT) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (gprs-pool-1-008.eplus-online.de [212.23.126.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 5A16C33D05 for ; Fri, 30 Jun 2006 14:38:29 +0200 (CEST) Received: from [127.0.0.1] (unknown [192.168.201.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id BCC302E51E; Fri, 30 Jun 2006 14:38:21 +0200 (CEST) Message-ID: <44A51B54.4090908@vwsoft.com> Date: Fri, 30 Jun 2006 14:38:44 +0200 From: Volker User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Thunderbird/1.0.6 Mnenhy/0.6.0.101 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20060630120116.AA95F16A85D@hub.freebsd.org> In-Reply-To: <20060630120116.AA95F16A85D@hub.freebsd.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Subject: Re: problem with keyword self X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 12:38:35 -0000 On 2006-06-30, daniel@benzedrine.cx wrote: > "self" always translates to IP addresses at load-time. To re-translate, > you have to re-load the ruleset. > Daniel, a while ago I was experiencing one thing where it can be dangerous to make use of the 'self' keyword. If you're setting up a DSL connection using mpd (I guess it's the same with userland ppp, but have never tried that) the system has got an unconfigured IP interface (xl0 or whatever), where unconfigured means it's up but has an IP address of 0.0.0.0. PPPoE is being done on the interface ng0 for example and this one has an IP address if the connection is up. Now if you're using a rule like 'pass in from any to self' (or something similar) the rule is being translated into 'pass in from 0.0.0.0 to 0.0.0.0' which in turn means 'just pass all traffic unconditionally' and you're having a great wide open firewall (in fact, no firewall at all). I know the example rule is not a real world rule but just image you're having a rule like 'pass in from any to self port 80' to have the http server being reachable. That would let pass traffic to _any_ internal webserver. Sometimes admins are lazy and doing stupid things like that and being not aware of the consequences of a quickly hacked rule. I'm wondering if you're able to check whether and interface has a valid IP address or not before processing rules and skip unconfigured interfaces (or at least do not let them being included when it comes to 'self' rules). IMHO 'self' should never validate to an IP address like 0.0.0.0. Greetings, Volker