kern/165939: [ipw] security bug: incomplete firewall rules
loaded if tables are used in ipfw.conf
Ian Smith
smithi at nimnet.asn.au
Sun Jul 15 13:50:33 UTC 2012
On Sat, 14 Jul 2012 18:59:54 +0100, Chris Rees wrote:
> On 14 Jul 2012 18:49, "Ian Smith" <smithi at nimnet.asn.au> wrote:
> >
> > On Sat, 14 Jul 2012, crees at freebsd.org wrote:
> > > http://www.freebsd.org/cgi/query-pr.cgi?pr=165939
[..]
> > > Description
> > > If user has tables used in /etc/ipfw.conf for example:
> > >
> > > table 1 add 64.6.108.239
> > >
> > > then firewall restart:
> > >
> > > /etc/rc.d/ipfw start
> > >
> > > fails with:
> > > Line 8: setsockopt(IP_FW_TABLE_ADD): File exists
> > > Firewall rules loaded.
> > >
> > > and incomplete ruleset is loaded. This is serious security problem.
I've likely said more than enough while awaiting team response, but does
this still fail if in /etc/rc.conf you set either (should come to the
same for your custom firewall_type=/etc/ipfw.conf via rc.firewall) of:
firewall_quiet="YES"
firewall_flags="-q"
Just that ipfw(8) reckons, noting the last sentence:
-q Be quiet when executing the add, nat, zero, resetlog or flush
commands; (implies -f). This is useful when updating rulesets by
executing multiple ipfw commands in a script (e.g.,
`sh /etc/rc.firewall'), or by processing a file with many ipfw
rules across a remote login session. It also stops a table add
or delete from failing if the entry already exists or is not
present.
ie, with -q on table add commands, you shouldn't need to flush tables.
cheers, Ian
More information about the freebsd-ipfw
mailing list