From nobody@FreeBSD.org  Sun Mar 11 19:09:25 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5066F10656D1
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Mar 2012 19:09:25 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 022FE8FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Mar 2012 19:09:25 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q2BJ9OGm094134
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Mar 2012 19:09:24 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q2BJ9OJh094133;
	Sun, 11 Mar 2012 19:09:24 GMT
	(envelope-from nobody)
Message-Id: <201203111909.q2BJ9OJh094133@red.freebsd.org>
Date: Sun, 11 Mar 2012 19:09:24 GMT
From: Radim Kolar <hsn@sendmail.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [security bug] incomplete firewall rules loaded if tables are used in ipfw.conf
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         165939
>Category:       kern
>Synopsis:       [ipfw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ipfw
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 11 19:10:14 UTC 2012
>Closed-Date:    
>Last-Modified:  Mon Apr 08 14:55:37 UTC 2013
>Originator:     Radim Kolar
>Release:        8.2 amd64
>Organization:
FILEZ.com
>Environment:
>Description:
If user has tables used in /etc/ipfw.conf for example:

table 1 add 64.6.108.239

then firewall restart:

/etc/rc.d/ipfw start

fails with:
Line 8: setsockopt(IP_FW_TABLE_ADD): File exists
Firewall rules loaded.

and incomplete ruleset is loaded. This is serious security problem.

>How-To-Repeat:

>Fix:
in /etc/rc.firewall

after ${fwcmd} -f flush
you need to flush tables too with command

ipfw table all flush

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->secteam 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Mar 12 00:51:29 UTC 2012 
Responsible-Changed-Why:  
over to secteam for analysis. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 
Responsible-Changed-From-To: secteam->freebsd-bugs 
Responsible-Changed-By: crees 
Responsible-Changed-When: Sat Jul 14 16:11:41 UTC 2012 
Responsible-Changed-Why:  
More of an ipfw problem-- "maintainers" will be emailed shortly 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: crees 
Responsible-Changed-When: Sat Jul 14 16:14:12 UTC 2012 
Responsible-Changed-Why:  
Beg pardon-- forgot there was a mailing list 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 
Responsible-Changed-From-To: freebsd-ipfw->secteam 
Responsible-Changed-By: crees 
Responsible-Changed-When: Sat Jul 14 21:00:29 UTC 2012 
Responsible-Changed-Why:  
Reassign as per request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 
Responsible-Changed-From-To: secteam->freebsd-ipfw 
Responsible-Changed-By: remko 
Responsible-Changed-When: Sat Jul 14 21:46:10 UTC 2012 
Responsible-Changed-Why:  
After consulting with the secteam members, it seems that this might 
indeed be a documentation issue or a bug. Assign it per example of 
crees to the IPFW team. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165939 

From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org, hsn@sendmail.cz
Cc:  
Subject: Re: kern/165939: [ipw] bug: incomplete firewall rules loaded if tables
 are used in ipfw.conf
Date: Tue, 30 Oct 2012 00:17:39 +1100

 This is not a bug but a feature, at least for those of us managing some
 or all ipfw tables independently of the ruleset. In such cases flushing
 tables would be a bug, requiring addition of all entries in tables used
 to be included in the ruleset before using service ipfw restart. This
 would be unwieldy at best, esp. for tables updated dynamically by hand
 and/or by other scripts monitoring logs and such (I use both).
 
 I think ipfw(8) is clear enough that ipfw flush just flushes rules, not
 tables, nat or dummynet configs, but emphasising that may be helpful?
 
 For those using tables only defined in their ruleset, adding 'ipfw table
 all flush' (or better, flushing particular tables used by the ruleset)
 before the first 'ipfw table add ..' command is certainly necessary.
 
 cheers, Ian
>Unformatted:
