[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf security - is pf failsafe if config file invalid?



On 15 Nov 2005 at 8:58, Peter N. M. Hansteen wrote:
..
> The OpenBSD /etc/rc has this code to initialize PF before any 
interfaces
> are up:
> 
> if [ "X${pf}" != X"NO" ]; then
>         RULES="block all"
>         RULES="$RULES\npass on lo0"
....
>         echo $RULES | pfctl -f - -e
> fi
>
And if, for any reason whatsoever, pfctl fails to run? The system 
remains wide open.
Yes, that would be an entirely abnormal circumstance. But I have for 
example had one freebsd crash ever(!); but this caused minor disk 
corruption losing a strange set of files. It could have been pfctl 
among them. It seems to me that a firewall needs to be designed to fail 
safe as far as is possible.
I'm no kernel code writer. But surely, somewhere in the depths of the 
pf code there's currently a decision made rather like:
if( got rules )
	obey rules
else
	pass packet.
It can't be rocket science to make the 'pass' a 'block' in which case 
everything is entirely watertight in the event of virtually /any/ 
system fault bar kernel corruption. And it can't be too much harder to 
make this a compiled-in option, which would keep happy the paranoid, 
while allowing those who want remote log-in on failure to do so.
Sorry to labour the point; maybe I'm a lone voice, but I'm a lone voice 
that feels very strongly about this issue.
-- 
various incoming sites blocked because of spam; see 
http://www.scottsonline.org.uk for a list and openpgp crypto key
(key fingerprint 2ACC 9F21 5103 F68C 7C32 9EA8 C949 81E1 31C9 1364)
[email protected]    Mike Scott, Harlow, Essex, England