bin/78785: [patch] ipfw verbosity locks machine if /etc/rc.firewall
is run remotely
freebsd at netfenece.it
Sun Mar 13 06:00:07 PST 2005
>Synopsis: [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely
>Arrival-Date: Sun Mar 13 14:00:06 GMT 2005
>Originator: Andrea Venturoli
>Release: FreeBSD 5.3-RELEASE-p5 i386
System: FreeBSD soth.ventu 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #1: Mon Feb 28 00:34:36 CET 2005 root at soth.ventu:/usr/obj/usr/src/sys/SOTH i386
Running "sh /etc/rc.firewall" remotely (e.g. over ssh) locks the machine out if a preprocessor is used.
First, rules are flushed, then they should be reloaded, but -p option outputs "command is ..." even if -q option is used. This result in session disconnection *before* rules are actually reloaded, so only the default deny will be there. It is then oviously impossible to login again.
Notice that using screen (from the port tree) is a viable workaround, when no console access is possible.
4.x machines are not affected, unless ipfw2 is used instead of ipfw; all 5.x and later boxes use ipfw2, so should exhibit this problem, though I can only confirm this for 5.3.
(Be sure either to have console access or to schedule a reboot before you begin).
Put the following line in /etc/rc.conf:
firewall_flags="-q -p /usr/bin/somepreprocessor"
Login remotely and issue "sh /etc/rc.firewall".
As said above, use /usr/ports/misc/screen.
Alternatively, here is a patch for /usr/src/sbin/ipfw/ipfw2.c (this is for 5.3p5 (ipfw2.c,v 220.127.116.11), but so simple that it should not be difficult to adapt it to newer revisions):
< fprintf(stderr, "command is %s\n", av);
> if (!do_quiet)
> fprintf(stderr, "command is %s\n", av);
You will need to specify -q *before* -p. (This again would not too be difficult to fix).
More information about the freebsd-bugs