From eugen@grosbein.pp.ru  Mon Mar  3 07:15:18 2003
Return-Path: <eugen@grosbein.pp.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id AFA4E37B401; Mon,  3 Mar 2003 07:15:18 -0800 (PST)
Received: from grosbein.pp.ru (www2.svzserv.kemerovo.su [213.184.65.86])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 21CCB43FBD; Mon,  3 Mar 2003 07:15:08 -0800 (PST)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (smmsp@localhost [127.0.0.1])
	by grosbein.pp.ru (8.12.7/8.12.7) with ESMTP id h23FF0W2001180;
	Mon, 3 Mar 2003 22:15:00 +0700 (KRAT)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.12.7/8.12.7/Submit) id h23FBcmB000870;
	Mon, 3 Mar 2003 22:11:38 +0700 (KRAT)
Message-Id: <200303031511.h23FBcmB000870@grosbein.pp.ru>
Date: Mon, 3 Mar 2003 22:11:38 +0700 (KRAT)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc: arch@freebsd.org
Subject: [PATCH] The influence of /etc/start_ifname on /etc/rc.firewall is obscure and harmfull
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         48881
>Category:       conf
>Synopsis:       [PATCH] The influence of /etc/start_ifname on /etc/rc.firewall is obscure and harmfull
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-rc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 03 07:20:07 PST 2003
>Closed-Date:    Thu May 17 10:14:26 GMT 2007
>Last-Modified:  Thu May 17 10:14:26 GMT 2007
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.8-PRERELEASE i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD grosbein.pp.ru 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #2: Sat Mar 1 21:20:16 KRAT 2003 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386

>Description:
	The revision 1.13 of /etc/rc.firewall 5 years ago introduced
	ability of passing firewall_type as $1. This feature is not
	documented in rc(8) man page. Meantime /etc/rc.network
	invokes /etc/rc.firewall using '.' command so /etc/rc.firewall
	will inherit $1.

	rc.network will invoke /etc/start_$ifname using '.' also.
	An unsuspicious administrator may make start_$ifname so that
	it sets positional parameters. /etc/rc.firewall will catch $1
	and ignore firewall_type from /etc/rc.conf. Most probably,
	this will result in a set or rules consisting in
	default rule only that is 'deny from any to any'.
	That's dangerous and might be hard to debug and recover.

>How-To-Repeat:

	Try to use such /etc/start_gre script to assist WCCP:

#!/bin/sh

routers="1.2.3.4 5.6.7.8"   # WCCP-compatible gateways
wccp_int="fxp0"		    # we try not to hardcore our IP
			    # but autosense from /etc/rc.conf

eval set \$interface_$wccp_int	# generally, this is an easy way
my_ip=$2			# to get ip address of interface
				# from /etc/rc.conf

# configure tunnels
for ...

	Documentation nowhere warns that one should not use such constructions.
	So we will have $1="inet" here and rc.firewall will NOT load
	firewall rules if /etc/inet does not exists. That may be harmfull.
	The same applies to the rc.firewall(6) but I did not try it.

>Fix:

	A decision have to be taken. One should correct rc(8)
	to warn administrators or to take some measures.
	For exaple, it's possible to unset positional parameters
	before running /etc/rc.firewall.

	Apply this patch to /etc:

--- rc.network.orig	Mon Mar  3 22:05:32 2003
+++ rc.network	Mon Mar  3 22:00:30 2003
@@ -330,6 +330,7 @@
 		case ${firewall_enable} in
 		[Yy][Ee][Ss])
 			if [ -r "${firewall_script}" ]; then
+				while shift 2>/dev/null; do :; done
 				. "${firewall_script}"
 				echo -n 'Firewall rules loaded, starting divert daemons:'
 
--- rc.network6.orig	Mon Mar  3 22:10:43 2003
+++ rc.network6	Mon Mar  3 22:10:33 2003
@@ -67,6 +67,7 @@
 		case ${ipv6_firewall_enable} in
 		[Yy][Ee][Ss])
 			if [ -r "${ipv6_firewall_script}" ]; then
+				while shift 2>/dev/null; do :; done
 				. "${ipv6_firewall_script}"
 				echo -n 'IPv6 Firewall rules loaded.'
 			elif [ "`ip6fw l 65535`" = "65535 deny ipv6 from any to any" ]; then
 

	OTOH, one may wrap invocation rc.firewall[6] into a function.

Eugene Grosbein

>Release-Note:
>Audit-Trail:

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: bug-followup@freebsd.org
Cc: net@freebsd.org
Subject: Re: conf/48881: [PATCH] The influence of /etc/start_ifname on /etc/rc.firewall is obscure and harmfull
Date: Sun, 8 Aug 2004 23:07:23 +0800

 Hi!
 
 Could somebody take a look at this PR? It waits for 17 months.
 
 Eugene
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jun 29 00:31:33 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48881 
State-Changed-From-To: open->closed 
State-Changed-By: mtm 
State-Changed-When: Thu May 17 10:08:03 UTC 2007 
State-Changed-Why:  
In rc.d this issue affected rc.d/ipfw. However; in revision 1.15 of 
rc.d/ipfw (and revision 1.10.2.4 in RELENG_6) the invocation of 
rc.firewall was changed to be invoked in a separate shell. So, this 
issue no longer applies. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=48881 
>Unformatted:
