Bug 126060

Summary: [ipfw] [patch] IPFW limit checking in nightly security scripts slightly botched
Product: Base System Reporter: Ronald F. Guilmette <rfg>
Component: confAssignee: Antoine Brodin <antoine>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 6.3-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff
none
file.diff none

Description Ronald F. Guilmette 2008-07-29 02:30:06 UTC 
	The following two scripts fail to correctly interpret sysctl IPFW
	logging limits of "0" (i.e. "no limit") for IPv4 and IPv6 respectively:

	/etc/periodic/security/550.ipfwlimit
	/etc/periodic/security/650.ip6fwlimit

Fix: Trivial/obvious patches included below.  *** WARNING *** Somebody
	please check these for correct awk syntax.  I don't do very much awk,
	so I may have botched the fixes here.  But I think I got them right.
How-To-Repeat: 	Run the scripts noted above, or just wait for them to run automagically
	at 3AM.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2008-07-31 15:40:19 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-rc

Over to maintainer(s).
Comment 2 Doug Barton freebsd_committer freebsd_triage 2008-07-31 20:26:12 UTC 
Responsible Changed
From-To: freebsd-rc->freebsd-bugs


periodic != rc
Comment 3 Antoine Brodin freebsd_committer freebsd_triage 2008-08-03 17:32:07 UTC 
I think that this periodic script has a few problems:
- it should not check rules without "logamount"
- it should not use sysctl net.inet.ip.fw.verbose_limit
- it should not run if sysctl net.inet.ip.fw.verbose is not 1

The logging limit for a rule that doesn't have "logamount" is set to
the value of net.inet.ip.fw.verbose_limit at the time the rule is set,
and when this rule is showed later it has a logamount:

%%%
# ipfw -a list
65535 0 0 deny ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=0
net.inet.ip.fw.verbose_limit: 500 -> 0
# ipfw add 100 allow log ip from any to any
00100 allow log ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=100
net.inet.ip.fw.verbose_limit: 0 -> 100
# ipfw add 200 allow log ip from any to any
00200 allow log logamount 100 ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=200
net.inet.ip.fw.verbose_limit: 100 -> 200
# ipfw add 300 allow log ip from any to any
00300 allow log logamount 200 ip from any to any
# sysctl net.inet.ip.fw.verbose_limit=300
net.inet.ip.fw.verbose_limit: 200 -> 300
# ipfw add 400 allow log ip from any to any
00400 allow log logamount 300 ip from any to any
# ipfw add 500 allow log logamount 0 ip from any to any
00500 allow log ip from any to any
# ipfw -a list
00100 10 1227 allow log ip from any to any
00200  0    0 allow log logamount 100 ip from any to any
00300  0    0 allow log logamount 200 ip from any to any
00400  0    0 allow log logamount 300 ip from any to any
00500  0    0 allow log ip from any to any
65535  4  436 deny ip from any to any
%%%
Comment 4 Antoine Brodin freebsd_committer freebsd_triage 2008-08-03 21:37:41 UTC 
Responsible Changed
From-To: freebsd-bugs->antoine

Take.
Comment 5 dfilter service freebsd_committer freebsd_triage 2008-08-10 19:12:27 UTC 
antoine     2008-08-10 18:11:24 UTC

  FreeBSD src repository

  Modified files:
    etc/periodic/security 550.ipfwlimit 
  Log:
  SVN rev 181531 on 2008-08-10 18:11:24Z by antoine
  
  Improve periodic/security/550.ipfwlimit a bit:
  - don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
  - handle rules without logging limit correctly [1]
  (those rules show up without logamount in "ipfw -a list")
  
  PR:             conf/126060 [1]
  MFC after:      1 month
  
  Revision  Changes    Path
  1.11      +3 -6      src/etc/periodic/security/550.ipfwlimit
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 Antoine Brodin freebsd_committer freebsd_triage 2008-08-10 19:20:54 UTC 
State Changed
From-To: open->patched

Patched in head.
Comment 7 dfilter service freebsd_committer freebsd_triage 2009-01-10 19:00:55 UTC 
Author: antoine
Date: Sat Jan 10 19:00:17 2009
New Revision: 187031
URL: http://svn.freebsd.org/changeset/base/187031

Log:
  MFC r181531 to stable/7:
    Improve periodic/security/550.ipfwlimit a bit:
    - don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
    - handle rules without logging limit correctly [1]
    (those rules show up without logamount in "ipfw -a list")
  
    PR:		conf/126060 [1]
    MFC after:	1 month

Modified:
  stable/7/etc/   (props changed)
  stable/7/etc/periodic/security/550.ipfwlimit

Modified: stable/7/etc/periodic/security/550.ipfwlimit
==============================================================================
--- stable/7/etc/periodic/security/550.ipfwlimit	Sat Jan 10 18:19:22 2009	(r187030)
+++ stable/7/etc/periodic/security/550.ipfwlimit	Sat Jan 10 19:00:17 2009	(r187031)
@@ -42,19 +42,16 @@ rc=0
 
 case "$daily_status_security_ipfwlimit_enable" in
     [Yy][Ee][Ss])
-	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-	if [ $? -ne 0 ]; then
+	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
+	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
 		exit 0
 	fi
 	TMP=`mktemp -t security`
 	ipfw -a list | grep " log " | \
 	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
-	awk -v limit="$IPFW_LOG_LIMIT" \
+	awk \
 		'{if ($6 == "logamount") {
 			if ($2 > $7)
-				{print $0}
-		} else {
-			if ($2 > limit)
 				{print $0}}
 		}' > ${TMP}
 
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 8 dfilter service freebsd_committer freebsd_triage 2009-01-10 19:03:49 UTC 
Author: antoine
Date: Sat Jan 10 19:03:35 2009
New Revision: 187033
URL: http://svn.freebsd.org/changeset/base/187033

Log:
  MFC r181531 to stable/6:
    Improve periodic/security/550.ipfwlimit a bit:
    - don't run it if net.inet.ip.fw.verbose = 0 as it is pointless
    - handle rules without logging limit correctly [1]
    (those rules show up without logamount in "ipfw -a list")
  
    PR:		conf/126060 [1]
    MFC after:	1 month

Modified:
  stable/6/etc/   (props changed)
  stable/6/etc/periodic/security/550.ipfwlimit

Modified: stable/6/etc/periodic/security/550.ipfwlimit
==============================================================================
--- stable/6/etc/periodic/security/550.ipfwlimit	Sat Jan 10 19:01:29 2009	(r187032)
+++ stable/6/etc/periodic/security/550.ipfwlimit	Sat Jan 10 19:03:35 2009	(r187033)
@@ -42,19 +42,16 @@ rc=0
 
 case "$daily_status_security_ipfwlimit_enable" in
     [Yy][Ee][Ss])
-	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
-	if [ $? -ne 0 ]; then
+	IPFW_VERBOSE=`sysctl -n net.inet.ip.fw.verbose 2> /dev/null`
+	if [ $? -ne 0 ] || [ "$IPFW_VERBOSE" -eq 0 ]; then
 		exit 0
 	fi
 	TMP=`mktemp -t security`
 	ipfw -a list | grep " log " | \
 	grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
-	awk -v limit="$IPFW_LOG_LIMIT" \
+	awk \
 		'{if ($6 == "logamount") {
 			if ($2 > $7)
-				{print $0}
-		} else {
-			if ($2 > limit)
 				{print $0}}
 		}' > ${TMP}
 
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 9 Antoine Brodin freebsd_committer freebsd_triage 2009-01-10 19:10:55 UTC 
State Changed
From-To: patched->closed

Fixed in head, stable/7 and stable/6.