Bug 78785
| Summary: | [patch] ipfw(8) verbosity locks machine if /etc/rc.firewall is run remotely | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Andrea Venturoli <freebsd> |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Open --- | ||
| Severity: | Affects Only Me | Keywords: | patch |
| Priority: | Normal | ||
| Version: | 5.3-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-bugs->freebsd-ipfw Over to maintainer(s). For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped Keyword:
patch
or patch-ready
– in lieu of summary line prefix:
[patch]
* bulk change for the keyword
* summary lines may be edited manually (not in bulk).
Keyword descriptions and search interface:
<https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
|
Running "sh /etc/rc.firewall" remotely (e.g. over ssh) locks the machine out if a preprocessor is used. First, rules are flushed, then they should be reloaded, but -p option outputs "command is ..." even if -q option is used. This result in session disconnection *before* rules are actually reloaded, so only the default deny will be there. It is then oviously impossible to login again. Notice that using screen (from the port tree) is a viable workaround, when no console access is possible. 4.x machines are not affected, unless ipfw2 is used instead of ipfw; all 5.x and later boxes use ipfw2, so should exhibit this problem, though I can only confirm this for 5.3. Fix: As said above, use /usr/ports/misc/screen. Alternatively, here is a patch for /usr/src/sbin/ipfw/ipfw2.c (this is for 5.3p5 (ipfw2.c,v 1.54.2.3), but so simple that it should not be difficult to adapt it to newer revisions): 4031c4031,4032 < fprintf(stderr, "command is %s\n", av[0]); --- > if (!do_quiet) > fprintf(stderr, "command is %s\n", av[0]); You will need to specify -q *before* -p. (This again would not too be difficult to fix). How-To-Repeat: (Be sure either to have console access or to schedule a reboot before you begin). Put the following line in /etc/rc.conf: firewall_flags="-q -p /usr/bin/somepreprocessor" Login remotely and issue "sh /etc/rc.firewall".