Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
On Sat, 14 Jul 2012, cr...@freebsd.org wrote:
http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
Description
If user has tables used in /etc/ipfw.conf for example:
table 1 add 64.6.108.239
then firewall restart:
/etc/rc.d/ipfw start
fails with:
Line 8: setsockopt(IP_FW_TABLE_ADD): File exists
Firewall rules loaded.
and incomplete ruleset is loaded. This is serious security problem.
How-To-Repeat
Fix
in /etc/rc.firewall
after ${fwcmd} -f flush
you need to flush tables too with command
ipfw table all flush
Yes, to such a ruleset you'd need to add 'table all flush' too.
ipfw flush specifically does not flush tables. I've long relied upon
that, using mostly static tables only reloaded from a file saved hourly
by cron, when $firewall_script finds tables are not loaded - ie at boot.
cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
On 14 Jul 2012 18:49, Ian Smith smi...@nimnet.asn.au wrote:
On Sat, 14 Jul 2012, cr...@freebsd.org wrote:
http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
Description
If user has tables used in /etc/ipfw.conf for example:
table 1 add 64.6.108.239
then firewall restart:
/etc/rc.d/ipfw start
fails with:
Line 8: setsockopt(IP_FW_TABLE_ADD): File exists
Firewall rules loaded.
and incomplete ruleset is loaded. This is serious security problem.
How-To-Repeat
Fix
in /etc/rc.firewall
after ${fwcmd} -f flush
you need to flush tables too with command
ipfw table all flush
Yes, to such a ruleset you'd need to add 'table all flush' too.
ipfw flush specifically does not flush tables. I've long relied upon
that, using mostly static tables only reloaded from a file saved hourly
by cron, when $firewall_script finds tables are not loaded - ie at boot.
Not A Bug then?
Chris
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote: On 14 Jul 2012 18:49, Ian Smith smi...@nimnet.asn.au wrote: On Sat, 14 Jul 2012, cr...@freebsd.org wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 [..] Yes, to such a ruleset you'd need to add 'table all flush' too. ipfw flush specifically does not flush tables. I've long relied upon that, using mostly static tables only reloaded from a file saved hourly by cron, when $firewall_script finds tables are not loaded - ie at boot. Not A Bug then? Not For Me at least, Chris. Maybe ipfw(8) isn't specific enough about flush? I can't speak for others, but don't think flushing all tables in rc.firewall useful when it's easy to include in your particular ruleset. cheers, Ian ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
Synopsis: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf Responsible-Changed-From-To: freebsd-ipfw-secteam Responsible-Changed-By: crees Responsible-Changed-When: Sat Jul 14 21:00:29 UTC 2012 Responsible-Changed-Why: Reassign as per request. http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
