[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf security - is pf failsafe if config file invalid?

On Tue, Nov 15, 2005 at 03:32:11PM -0000, mike scott wrote:
> > if [ "X${pf}" != X"NO" ]; then
> >         RULES="block all"
> >         RULES="$RULES\npass on lo0"
> ....
> >         echo $RULES | pfctl -f - -e
> > fi
> >
> And if, for any reason whatsoever, pfctl fails to run? The system 
> remains wide open.
It's worse than you suspect. If the pfctl binary is corrupt or missing
and fails to run, pf won't ever get enabled at all. Forget about the
fact that an empty ruleset means a default-pass policy. That's
irrelevant, all packets will pass because pf simply isn't filtering at
all in that case ;)
However, feel free to do this:
	echo $RULES | pfctl -f - -e || shutdown -h
And if you're worried about a corrupted shutdown binary failing, exit
the rc script. At this point, no local daemons are started and the
kernel isn't forwarding IP because sysctl.conf hasn't been read yet.
And you can't seriously consider using a packet filter that loads as
kernel module, either. What if the kernel module file gets lost? The
system fails open.