Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
On Sat, 14 Jul 2012, cr...@freebsd.org wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 Description If user has tables used in /etc/ipfw.conf for example: table 1 add 64.6.108.239 then firewall restart: /etc/rc.d/ipfw start fails with: Line 8: setsockopt(IP_FW_TABLE_ADD): File exists Firewall rules loaded. and incomplete ruleset is loaded. This is serious security problem. How-To-Repeat Fix in /etc/rc.firewall after ${fwcmd} -f flush you need to flush tables too with command ipfw table all flush Yes, to such a ruleset you'd need to add 'table all flush' too. ipfw flush specifically does not flush tables. I've long relied upon that, using mostly static tables only reloaded from a file saved hourly by cron, when $firewall_script finds tables are not loaded - ie at boot. cheers, Ian ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
On 14 Jul 2012 18:49, Ian Smith smi...@nimnet.asn.au wrote: On Sat, 14 Jul 2012, cr...@freebsd.org wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 Description If user has tables used in /etc/ipfw.conf for example: table 1 add 64.6.108.239 then firewall restart: /etc/rc.d/ipfw start fails with: Line 8: setsockopt(IP_FW_TABLE_ADD): File exists Firewall rules loaded. and incomplete ruleset is loaded. This is serious security problem. How-To-Repeat Fix in /etc/rc.firewall after ${fwcmd} -f flush you need to flush tables too with command ipfw table all flush Yes, to such a ruleset you'd need to add 'table all flush' too. ipfw flush specifically does not flush tables. I've long relied upon that, using mostly static tables only reloaded from a file saved hourly by cron, when $firewall_script finds tables are not loaded - ie at boot. Not A Bug then? Chris ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote: On 14 Jul 2012 18:49, Ian Smith smi...@nimnet.asn.au wrote: On Sat, 14 Jul 2012, cr...@freebsd.org wrote: http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 [..] Yes, to such a ruleset you'd need to add 'table all flush' too. ipfw flush specifically does not flush tables. I've long relied upon that, using mostly static tables only reloaded from a file saved hourly by cron, when $firewall_script finds tables are not loaded - ie at boot. Not A Bug then? Not For Me at least, Chris. Maybe ipfw(8) isn't specific enough about flush? I can't speak for others, but don't think flushing all tables in rc.firewall useful when it's easy to include in your particular ruleset. cheers, Ian ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/165939: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf
Synopsis: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf Responsible-Changed-From-To: freebsd-ipfw-secteam Responsible-Changed-By: crees Responsible-Changed-When: Sat Jul 14 21:00:29 UTC 2012 Responsible-Changed-Why: Reassign as per request. http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/165939: [ipw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf
Old Synopsis: [ipw] security bug: incomplete firewall rules loaded if tables are used in ipfw.conf New Synopsis: [ipw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf Responsible-Changed-From-To: secteam-freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Sat Jul 14 21:46:10 UTC 2012 Responsible-Changed-Why: After consulting with the secteam members, it seems that this might indeed be a documentation issue or a bug. Assign it per example of crees to the IPFW team. http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org