Bug 165939 - [ipfw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf
Summary: [ipfw] bug: incomplete firewall rules loaded if tables are used in ipfw.conf
Status: Closed Overcome By Events
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-11 19:10 UTC by Radim Kolar
Modified: 2020-05-23 19:45 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Radim Kolar 2012-03-11 19:10:14 UTC
If user has tables used in /etc/ipfw.conf for example:

table 1 add 64.6.108.239

then firewall restart:

/etc/rc.d/ipfw start

fails with:
Line 8: setsockopt(IP_FW_TABLE_ADD): File exists
Firewall rules loaded.

and incomplete ruleset is loaded. This is serious security problem.

Fix: 

in /etc/rc.firewall

after ${fwcmd} -f flush
you need to flush tables too with command

ipfw table all flush
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2012-03-12 00:51:29 UTC
Responsible Changed
From-To: freebsd-bugs->secteam

over to secteam for analysis.
Comment 2 Chris Rees freebsd_committer 2012-07-14 17:11:41 UTC
Responsible Changed
From-To: secteam->freebsd-bugs

More of an ipfw problem-- "maintainers" will be emailed shortly
Comment 3 Chris Rees freebsd_committer 2012-07-14 17:14:12 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-ipfw

Beg pardon-- forgot there was a mailing list
Comment 4 Chris Rees freebsd_committer 2012-07-14 22:00:29 UTC
Responsible Changed
From-To: freebsd-ipfw->secteam

Reassign as per request.
Comment 5 Remko Lodder freebsd_committer 2012-07-14 22:46:10 UTC
Responsible Changed
From-To: secteam->freebsd-ipfw

After consulting with the secteam members, it seems that this might 
indeed be a documentation issue or a bug. Assign it per example of 
crees to the IPFW team.
Comment 6 smithi 2012-10-29 13:17:39 UTC
This is not a bug but a feature, at least for those of us managing some
or all ipfw tables independently of the ruleset. In such cases flushing
tables would be a bug, requiring addition of all entries in tables used
to be included in the ruleset before using service ipfw restart. This
would be unwieldy at best, esp. for tables updated dynamically by hand
and/or by other scripts monitoring logs and such (I use both).

I think ipfw(8) is clear enough that ipfw flush just flushes rules, not
tables, nat or dummynet configs, but emphasising that may be helpful?

For those using tables only defined in their ruleset, adding 'ipfw table
all flush' (or better, flushing particular tables used by the ruleset)
before the first 'ipfw table add ..' command is certainly necessary.

cheers, Ian
Comment 7 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:01 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped