Bug 249972 - Trusted hosts in rc.firewall are only trusted in one direction
Summary: Trusted hosts in rc.firewall are only trusted in one direction
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 12.1-RELEASE
Hardware: i386 Any
: --- Affects Some People
Assignee: freebsd-rc (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-29 01:01 UTC by Archit Shah
Modified: 2020-10-04 03:36 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Archit Shah 2020-09-29 01:01:00 UTC 
I attempted to configure an IPSec transport mode connection between a host and a trusted peer (e.g. 10.0.1.2) using the "workstation" mode ipfw firewall.  The firewall appears not to have allowed outgoing packets.  The following diff address the specific test case I had and appears to be consistent with the concept of a trusted peer.

> diff /etc/rc.firewall /tmp/rc.firewall.diff 
516c516
<         ${fwcmd} add pass ip from $i to me
---
>         ${fwcmd} add pass ip from $i to me keep-state :default

Alternatively, a second rule per trusted peer could be added to pass packets to the peer ("${fwcmd} add pass ip from me to $i").

Configuration example below:

firewall_enable="YES"
firewall_type="workstation"
firewall_myservices="22,80,443/tcp"
firewall_allowservices="0.0.0.0/0"
firewall_trusted="10.0.1.2 10.3.4.5 10.6.7.8"
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2020-10-04 03:36:28 UTC 
^Triage: assign to appropriate mailing list.
^Triage: reset the now-obsolete "patch" Keyword.