bin/78785: [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely

Andrea Venturoli freebsd at netfenece.it
Sun Mar 13 06:00:07 PST 2005 

>Number:         78785
>Category:       bin
>Synopsis:       [patch] ipfw verbosity locks machine if /etc/rc.firewall is run remotely
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 13 14:00:06 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Andrea Venturoli
>Release:        FreeBSD 5.3-RELEASE-p5 i386
>Organization:
NetFence
>Environment:
System: FreeBSD soth.ventu 5.3-RELEASE-p5 FreeBSD 5.3-RELEASE-p5 #1: Mon Feb 28 00:34:36 CET 2005 root at soth.ventu:/usr/obj/usr/src/sys/SOTH i386


	
>Description:
	Running "sh /etc/rc.firewall" remotely (e.g. over ssh) locks the machine out if a preprocessor is used.
	First, rules are flushed, then they should be reloaded, but -p option outputs "command is ..." even if -q option is used. This result in session disconnection *before* rules are actually reloaded, so only the default deny will be there. It is then oviously impossible to login again.
	Notice that using screen (from the port tree) is a viable workaround, when no console access is possible.
	4.x machines are not affected, unless ipfw2 is used instead of ipfw; all 5.x and later boxes use ipfw2, so should exhibit this problem, though I can only confirm this for 5.3.

>How-To-Repeat:
	(Be sure either to have console access or to schedule a reboot before you begin).
	Put the following line in /etc/rc.conf:
		firewall_flags="-q -p /usr/bin/somepreprocessor"
	Login remotely and issue "sh /etc/rc.firewall".
>Fix:
	As said above, use /usr/ports/misc/screen.
	Alternatively, here is a patch for /usr/src/sbin/ipfw/ipfw2.c (this is for 5.3p5 (ipfw2.c,v 1.54.2.3), but so simple that it should not be difficult to adapt it to newer revisions):

4031c4031,4032
<                       fprintf(stderr, "command is %s\n", av[0]);
---
>                       if (!do_quiet)
>                               fprintf(stderr, "command is %s\n", av[0]);

	You will need to specify -q *before* -p. (This again would not too be difficult to fix).
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list