Subject: Re: ipfilter loading.
To: Jason Thorpe <thorpej@nas.nasa.gov>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-kern
Date: 04/28/1997 22:16:41
Jason Thorpe writes:
>My third and final reason is this:
>
> Whether ipfilter is "enabled early" or not _should not matter_!
> (If it does, please don't muck with my firewall, okay?)
OK. This is where we disagree. If I configure ipfilter into a kernel,
I want IPfilter to break the networking stack utterly and completely,
until and unless I add filter rules that tell ipfilter something
different.
Otherwise, it really *DOES* matter whether ipfilter is enabled early
or not. If you don't enable it early, or don't enable it at all, then
you have a security hole.
Accidents and smiconfigurations do happen. An earlier incarnation of
this debate happened the same day that a major Internet vendor
accidentally goofed and a gaping hole in their firewall. I am not
making this up. So I want the default configuration to be as safe as
possible. A default of `No firewall at all' just doesn't cut it for me.
Yes, this _is_ operational paranoia. But that's (arguably) what
security is all about.
>Let's look at this for a second...
>
> (1) ipf -E in /etc/netstart before any interfaces are ifconfig'd up.
> This gets the rules in place before you can even _receive_
> packets. If the rules are installed before any interfaces
> are enabled, this gives you the behavior that you want.
> (That is, unless you are _completely_ miscommunicating
> what it is that you want.)
What I want is a secure default.
Having to run "ipf -E" in netstart is not as secure as having the
effect of "ipf -E" be the default behaviour for ipfilter.
>From a security standpoint, being less secure is a misfeature, a _bug_.
> (2) The previous default rule when ipfilter was enabled was
> "all pass"
No, it wasn't, not in the versions I've been using.
> (this is obvious, otherwise the networking
> on my hp380, which has ipfilter in the kernel, but didn't
> have rules installed at the time, would not have worked).
Aha! That's precisely the behavior I'm looking for. Because it's the
most secure way ipfilter can behave.
> Thus, you needed an option _anyway_ to get the behavior
> you want.
The versions I've been using (which are old) have always had the
behaviour I desire. Going back to (looks) 2.8.2 or thereabouts.
This is the behaviour that mrg wants, that Darren wants, and that I want.
If this causes a problem for portmasters, then I think ipfilter should
be commented out of the GENERIC config and portmasters should learn
not to turn it on. If people want it, they can install LKMs while
securelevel is low enough to do so. If they don't want it, they
shouldn't configure or modload ipfilter.