svn commit: r193198 - head/etc/rc.d

Doug Barton dougb at FreeBSD.org
Mon Jun 1 17:38:47 UTC 2009 

Bjoern A. Zeeb wrote:
> On Mon, 1 Jun 2009, Doug Barton wrote:
> 
>> Author: dougb Date: Mon Jun  1 05:35:03 2009 New Revision: 193198
>>  URL: http://svn.freebsd.org/changeset/base/193198
>> 
>> Log: Make the pf and ipfw firewalls start before netif, just like
>>  ipfilter already does. This eliminates a logical inconsistency, 
>> and a small window where the system is open after the network 
>> comes up.
> 
> Unfortunetaly this is contrary to a lot of PRs and requests on 
> mailing lists out there that actually want the netif/network_ipv6 
> to be run _before_ things come up.

Can you provide links to some of those PRs? I'd love to learn more
about this issue.

> Espescially pf really needs this to avoid rules that needs to do 
> per paket lookups of the interface address.

Not sure what you mean here.

> Further ipfw has a default option being setaable at compile time 
> and as TUNABLE to handle this window.

And what happens if someone sets the default to accept? You could
argue that they are knowingly opening a window of vulnerability but I
would argue that the right thing to do is to have the firewall rules
loaded before the network comes up regardless of the default. That way
you avoid both the potential window of vulnerability AND the window of
time between the network being loaded and the firewall allowing access
to the box.

To give a little more history, this patch was discussed and reviewed a
while back and someone told me that they would incorporate it into
some overall work they were doing to improve the way that rc.d handles
networking, so I stopped paying attention to it. Last night a user
pointed out to me that another patch that this same person said they
would handle never got in, so I reviewed other outstanding work and
found that this one had not been done either.

Obviously if this change breaks something it will have to be reverted.
However from the security standpoint (primary concern) it would seem
to be the right thing to do, and the previous rcorder was not
logically consistent in any case.

Max Laier wrote:
> Can you please add a note about this in UPDATING?

Yes. I was on the fence about this anyways, so now you've pushed me
over. :)

> It might be a slight POLA violation for people who rely on the
> interfaces being configured to setup the firewall.  For instance
> when one doesn't use dynamic address rules in pf i.e. "from/to ifX"
> instead of "from/to (ifX)".

I don't understand what you've written here. It seems to me that if
the interfaces are always the same then the firewall rules will be
fine, but if they are using dynamic rules it doesn't matter if it
starts before or after the network is up.

Doug

More information about the svn-src-all mailing list