[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf security - is pf failsafe if config file invalid?



On Wed, Nov 09, 2005 at 11:41:27AM -0000, mike scott wrote:
> Background: I'm upgrading to FreeBSD 6.0-release and want to move from 
> ipf to pf to get the extra flexibility pf offers.
welcome! :)
 
> However, I have concerns about the security of pf at system startup and 
> when the config file is unusable. In my present /ipf/ setup, the kernel 
> itself is configured to block packets by default, so until ipf starts 
> successfully and unblocks things, the machine (which is the 
> gateway/firewall to my home LAN) is guaranteed secure. In particular, 
> if the config file fails to load for any reason, the firewall fails to 
> a secure mode.
> 
> As far as I can see with pf though, the system is wide open until the 
> pf config file is loaded successfully. Ordinarily, pf would be started 
> before any services, so it shouldn't normally matter. But under fault 
> conditions, and in particular should the pf config file be unusable for 
> any reason, it seems that my firewall could be wide open, unnoticed, 
> for an indefinite period.
> 
> Could anyone offer advice please, and perhaps set my mind at rest? 
> Thanks in advance for any comments.
First of all, you have to define "default secure".  In your case, you
obviously mean "block EVERYTHING", a very plausable definition.
HOWEVER...
In my case, I have a bunch of machines that are not under my fingertips.
If (er..when) I hose my PF configuration, I really don't want to lose
the machine until I take a road trip to fix them.  Having a machine
default to "block all" would really, really suck for those applications.
Upgrading remotely is also an issue.
Fortunately, PF is very flexible.  What you desire is very easily
accomplished, IF it is appropriate for your situation.
Create a pf.conf file that has just the block all statement.  That is
what is loaded at boot.  NOW, in your startup scripts, load a second
rules file, which takes place AFTER the "block all".  That way, if your
"production" rules fail to load, you are still on full block.  (We
usually think "PF rules go in pf.conf", but really, pf.conf just happens
to be the file we traditionally put them in, because it is loaded by
default by the startup process.  It is just a text file, any other text
file could be attempted to be loaded later.)
Just make sure that is really what you want. :)
(note: another possible "solution" would be a "pass ssh only" rule in 
pf.conf, so if something goes wrong, you can still fix it by remote.)
But also..ask yourself, does it matter?  If PF doesn't load, your home
network probably isn't getting out to the network, and the outside world
probably isn't coming in (i.e., if the PF rules don't load, NAT is not
working, and I'm guessing you are using NAT).  I'm assuming your gateway
box is moderately secure -- not running insecure apps listening on the
network, and you are using GOOD passwords on all accounts on the machine.
If not, I'd recommend doing that, first.
There are, of course, applications where one would NOT want a "fall open",
for example, a horribly insecure application which is using authpf or 
similar to authenticate individual people to it.  But then, make sure you
can still manage the system if it fails to "block all" mode.
Nick.