Subject: Re: New IP filter code
To: Jonathan Stone <jonathan@dsg.stanford.edu>
From: Jason Thorpe <thorpej@nas.nasa.gov>
List: tech-net
Date: 04/01/1997 17:23:08
On Tue, 01 Apr 1997 17:07:56 -0800 
 Jonathan Stone <jonathan@DSG.Stanford.EDU> wrote:

 > Executive summary:
 > 
 > The [sic] fix in NetBSD's ip_fil is perceived by security-weenies
 > as a security flaw.
 > 
 > So, how about this: we add a hook to ip_fil'sn pseudo-device attach
 > routine, to turn on filtering, so those that rely on the old semantics
 > get it by default; and we add a config option that turns off that
 > call, so those who need to configure fail-open can do so.

"Yuck."

I think that this kernel option should not exist... actually, I feel
more strongly about it than that... s/think/insist/ :-)

Rationale:

The reason the old behavior existed was purely by chance of a namespace
collision.  AFAICT, BSD systems that initialize pesudo-devices the way
we do exhibit the bug.  Other systems do not.  This was an inconsistency,
and there was even an icky kludge in the code to work around it!

In case you weren't aware, the old code always hooked IP Filter into
the IP I/O stream, but defaulted the rules to "pass everything", because
without that kludge, no packets would have ever made it though!

So, the current behavior of having to explicitly enable the filter
after pushing up the rules is really basically the same behavior
as before ... in the previous code, all packets were passed before
you pushed up new rules!

So, your "old semantics" argument isn't even really valid, given
how it actually worked.

What you can do, however, to get the semantics you want, is to put:

	/sbin/ipf -E

first in /etc/rc.

Jason R. Thorpe                                       thorpej@nas.nasa.gov
NASA Ames Research Center                               Home: 408.866.1912
NAS: M/S 258-6                                          Work: 415.604.0935
Moffett Field, CA 94035                                Pager: 415.428.6939