[Bug 255852] pf: set skip on: serious security hole
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu May 13 21:17:30 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255852
Bug ID: 255852
Summary: pf: set skip on: serious security hole
Product: Base System
Version: 13.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: rashey at superbox.pl
Once skipped interface cannot be unskipped till pf restart.
An oblivious administrators can make a hole in firewall by reloading ruleset
without pf restart after network reconfiguration.
# ifconfig epair create
epair0a
# echo "set skip on { lo0, epair }" > /etc/pf.conf
# service pf reload
Reloading pf rules.
# pfctl -vsI
No ALTQ support in kernel
ALTQ related functions disabled
all
em0
em1
epair (skip)
epair0a (skip)
epair0b (skip)
lo
lo0 (skip)
echo "set skip on lo0" > /etc/pf.conf
# service pf reload
Reloading pf rules.
# pfctl -vsI
No ALTQ support in kernel
ALTQ related functions disabled
all
em0
em1
epair (skip)
epair0a (skip)
epair0b (skip)
lo
lo0 (skip)
# service pf restart
Disabling pf.
Enabling pf.
# pfctl -vsI
No ALTQ support in kernel
ALTQ related functions disabled
all
em0
em1
epair
epair0a
epair0b
lo
lo0 (skip)
# freebsd-version
13.0-RELEASE
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list