[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf security - is pf failsafe if config file invalid?



On Tue, Nov 15, 2005 at 07:22:56PM -0000, mike scott wrote:
> Not currently an issue, as ipf is statically linked into my kernel, and 
> set to block by default. I believe that's pretty well bomb-proof.  I'm 
> not even sure, come to think of it, that /pf/ can be statically linked 
> into the freebsd kernel; I know that's not a pf issue particularly, but 
> is still another nail in the coffin, so to speak, from my perspective.
Apply the patch below and recompile your kernel with
option		I_AM_A_BUTTON_PUSHING_FOOL
Yes, IPv6 support is included even though I suspect you're compiling a
custom kernel with that disabled.
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.508
diff -u -r1.508 pf.c
--- pf.c	14 Nov 2005 09:18:55 -0000	1.508
+++ pf.c	16 Nov 2005 05:44:07 -0000
@@ -5748,8 +5748,13 @@
 	struct pf_pdesc		 pd;
 	int			 off, dirndx, pqid = 0;
 
-	if (!pf_status.running)
+	if (!pf_status.running) {
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		return (PF_DROP);
+#else
 		return (PF_PASS);
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+	}
 
 	memset(&pd, 0, sizeof(pd));
 	if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
@@ -5849,7 +5854,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_tcp(&r, &s, dir, kif,
 			    m, off, h, &pd, &a, &ruleset, &ipintrq);
 		break;
@@ -5885,7 +5894,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_udp(&r, &s, dir, kif,
 			    m, off, h, &pd, &a, &ruleset, &ipintrq);
 		break;
@@ -5915,7 +5928,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_icmp(&r, &s, dir, kif,
 			    m, off, h, &pd, &a, &ruleset, &ipintrq);
 		break;
@@ -5930,7 +5947,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_other(&r, &s, dir, kif, m, off, h,
 			    &pd, &a, &ruleset, &ipintrq);
 		break;
@@ -6077,8 +6098,13 @@
 	struct pf_pdesc		 pd;
 	int			 off, terminal = 0, dirndx;
 
-	if (!pf_status.running)
+	if (!pf_status.running) {
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		return (PF_DROP);
+#else
 		return (PF_PASS);
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+	}
 
 	memset(&pd, 0, sizeof(pd));
 	if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
@@ -6200,7 +6226,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_tcp(&r, &s, dir, kif,
 			    m, off, h, &pd, &a, &ruleset, &ip6intrq);
 		break;
@@ -6237,7 +6267,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_udp(&r, &s, dir, kif,
 			    m, off, h, &pd, &a, &ruleset, &ip6intrq);
 		break;
@@ -6268,7 +6302,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_icmp(&r, &s, dir, kif,
 			    m, off, h, &pd, &a, &ruleset, &ip6intrq);
 		break;
@@ -6283,7 +6321,11 @@
 			r = s->rule.ptr;
 			a = s->anchor.ptr;
 			log = s->log;
-		} else if (s == NULL)
+		} else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+		    && TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+			)
 			action = pf_test_other(&r, &s, dir, kif, m, off, h,
 			    &pd, &a, &ruleset, &ip6intrq);
 		break;