firewall_type is ignored if not set in rc.conf or rc.conf.local
ClosedPublic
Actions

Authored by dpd_dpdtech.com on Feb 9 2018, 7:36 PM.

Details

Reviewers

Commits

rS331728: MFC r329817:
rS329817: The firewall_type is ignored if not set in rc.conf or rc.conf.local,

Summary

The rc script, /etc/rc.d/ipfw, does correctly calls load_rc_config, and loads /etc/rc.conf.d/ipfw - however, revision 190575 added the concept of calling /etc/rc.firewall with the firewall_type passed in as the arguments to the function.

Durning boot, no additional arguments are passed to RC scripts, so, unless /etc/rc.d/ipfw is called manually, or by externals scripts, no firewall type is passed, if not in the global rc.conf files. The /etc/rc.firewall scripts does load rc.conf, rc.conf.local, and defaults, however does not load_rc_config ipfw.

Since rc.firewall loads defaults, the firewall_type is always overwritten from the defaults.

17 of 22 $firewall_ variables are also in defaults and rc.firewall, so to have consistent behavior in freebsd RC, I think rc.firewall should also load_rc_config.

Both correcting ipfw rc script to a allow for an override and legacy support, while adding load_rc_config to the rc.firewall allowing the rc.cond.d configs to correctly work.

Variables in rc.firewall and defaults/rc.conf:

firewall_allowservices=""	# List of IPs which have access to
firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
firewall_flags=""		# Flags passed to ipfw when type is a file
firewall_logdeny="NO"		# Set to YES to log default denied incoming
firewall_myservices=""		# List of TCP ports on which this host
firewall_myservices=""		# List of TCP ports on which this host
firewall_nat_enable="NO"	# Enable kernel NAT (if firewall_enable == YES)
firewall_nat_flags=""		# Additional configuration parameters
firewall_nat_interface=""	# Public interface or IPaddress to use
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
firewall_quiet="NO"		# Set to YES to suppress rule display
firewall_simple_iif="ed1"	# Inside network interface for "simple"
firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple"
firewall_simple_oif="ed0"	# Outside network interface for "simple"
firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
firewall_trusted=""		# List of IPs which have full access to this
firewall_type="UNKNOWN"		# Firewall type (see /etc/rc.firewall)

Test Plan

Run with firewall_* variables in /etc/rc.conf,
remove firewall_* variables from /etc/rc.conf and place them in /etc/rc.conf.d/ipfw

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dpd_dpdtech.com created this revision.Feb 9 2018, 7:36 PM

Herald added subscribers: Contributor Reviews (src), imp. · View Herald TranscriptFeb 9 2018, 7:36 PM

araujo added a reviewer: araujo.Feb 10 2018, 5:11 AM

For this to work right, shouldn't we load /etc/rc.conf.d/pf and maybe ipf as well?

In D14286#299680, @allanjude wrote:

For this to work right, shouldn't we load /etc/rc.conf.d/pf and maybe ipf as well?

I don't think so, rc.firewall was always related with ipfw only, I think enable others can cause a POLA problem.

In D14286#299680, @allanjude wrote:

For this to work right, shouldn't we load /etc/rc.conf.d/pf and maybe ipf as well?

Well, it's actually worse than this because natd_enable and natd_interface are also called out in rc.firewall, in my original patch before submitting, I had load_rc_config loading both ipfw, and firewall, but probably, following the convention, should also load natd, and as noted ipf.

This is why I add firewall_rc_config_load - (totally open to renaming) - which would be a space delimited list of files to load, which could be added to defaults. This does reload rc.conf et al ... an optimization would like to be to work this into the top, where :

30 # Setup system for ipfw(4) firewall service.
31 #
32
33 # Suck in the configuration variables.
34 if [ -z "${source_rc_confs_defined}" ]; then
35         if [ -r /etc/defaults/rc.conf ]; then
36                 . /etc/defaults/rc.conf
37                 source_rc_confs
38         elif [ -r /etc/rc.conf ]; then
39                 . /etc/rc.conf
40         fi
41 fi
42

Could add $2 and $3+ ... which would allow the calling script to define whether or not to reload rc.confs and which rc.conf.d's to load, overriding defaults.

It may be better to respect _rc_conf_loaded before re-loading these, and not do load_rc_config at all, and depend inherit the parent's script environment. Quit grep shows that ./rc.d/ipfw is the only script calling ${firewall_script}.

rc.firewall was seems to have been created as a sample script, which the user should customize, and likely written long before rc.conf.d. Long term, a re-write, and a slight re-organization of all the firewall scripts might be needed.

However, with ${firewall_rc_config_load} ... this should be flexible enough to allow for any loading any other rc.cond.d's, as well as retaining backwards/legacy compatibility, and keeping it as small delta.

@allanjude Do you have any other consideration?

This revision was not accepted when it landed; it landed in state Needs Review.Feb 22 2018, 8:25 AM

Closed by commit rS329817: The firewall_type is ignored if not set in rc.conf or rc.conf.local, (authored by araujo). · Explain Why

This revision was automatically updated to reflect the committed changes.