Bug 78785 - [patch] ipfw(8) verbosity locks machine if /etc/rc.firewall is run remotely
Summary: [patch] ipfw(8) verbosity locks machine if /etc/rc.firewall is run remotely
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 5.3-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-13 14:00 UTC by Andrea Venturoli
Modified: 2017-12-31 22:35 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea Venturoli 2005-03-13 14:00:06 UTC
	Running "sh /etc/rc.firewall" remotely (e.g. over ssh) locks the machine out if a preprocessor is used.
	First, rules are flushed, then they should be reloaded, but -p option outputs "command is ..." even if -q option is used. This result in session disconnection *before* rules are actually reloaded, so only the default deny will be there. It is then oviously impossible to login again.
	Notice that using screen (from the port tree) is a viable workaround, when no console access is possible.
	4.x machines are not affected, unless ipfw2 is used instead of ipfw; all 5.x and later boxes use ipfw2, so should exhibit this problem, though I can only confirm this for 5.3.

Fix: 

As said above, use /usr/ports/misc/screen.
	Alternatively, here is a patch for /usr/src/sbin/ipfw/ipfw2.c (this is for 5.3p5 (ipfw2.c,v 1.54.2.3), but so simple that it should not be difficult to adapt it to newer revisions):

4031c4031,4032
<                       fprintf(stderr, "command is %s\n", av[0]);
---
>                       if (!do_quiet)
>                               fprintf(stderr, "command is %s\n", av[0]);

	You will need to specify -q *before* -p. (This again would not too be difficult to fix).
How-To-Repeat: 	(Be sure either to have console access or to schedule a reboot before you begin).
	Put the following line in /etc/rc.conf:
		firewall_flags="-q -p /usr/bin/somepreprocessor"
	Login remotely and issue "sh /etc/rc.firewall".
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2005-10-24 06:11:22 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-ipfw

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:14 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped