[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf security - is pf failsafe if config file invalid?



On Wed, Nov 16, 2005 at 10:21:47AM +0800, Lars Hansson wrote:
> > And if, for any reason whatsoever, pfctl fails to run? The system 
> > remains wide open.
> 
> Becasue that happens a lot....
> Oh come on now, this is a fringe case if there ever was one.
The far more common case where exactly this happens is when you update
an (OpenBSD) system from source. If you follow the FAQ 5.3.1 [1], you're
rebooting into a new kernel before rebuilding userland. Chances are that
the userland/kernel API of pf has changed slightly, making old pfctl
binaries abort with ioctl failures (these are the cases where people are
told to check whether their userland and kernel are out of sync). If you
search mailing list archives, this has happened to a number of people
over several releases.
I suspect the number of people who forget to update userland and accidentally
and unknowingly leave the system with a permanently non-functional pf is small
compared to those who
  a) are glad they can still ssh in to finish the update by rebuilding
     userland
  b) aren't bothered too much that, during those couple of minutes, pf
     isn't filtering at all
  b) after an update, check whether the system comes back up functional,
     including a brief check of pfctl -si/-sr output
If you apply the requested patch, you'll go booking a flight to your
server location in this case. Or at least have to get out of your chair
and walk to the server room, or annoy someone with a phone call ;)
Daniel
[1] http://www.openbsd.org/faq/faq5.html#Bld