Does this create a security hole?



  • I'm hoping one of the pfSense gurus here can tell me if any of the following events create a temporary insecure condition:

    • When the pfSense box is rebooted.

    • After updating the firewall rules when the Apply Changes button is clicked during the time the filter rules are being reloaded.

    • Any other type of event not mentioned above.

    What happens to the firewall? 
    Is the firewall temporary left wide open, or do the interface(s) stay blocked/secure except for any states already in the state table (Which on initial boot should mean everything blocked)?

    Thanks…



  • Is there any specific reason you are looking into this?

    I don't know the answer myself but I would assume (I know we should never assume but here goes) that the interfaces would only allow what the firewall rules / state table allows.

    If it doesn't work that way it would seem like a VERY tiny window of opportunity for someone to sneak in. Not to mention pretty odd.



  • Since the ruleset only allows traffic that's explicitly allowed I wouldn't consider this a possible insecure timeframe. But i don't know for sure, I guessed.



  • @RyujinJakka:

    Is there any specific reason you are looking into this?

    I don't know the answer myself but I would assume (I know we should never assume but here goes) that the interfaces would only allow what the firewall rules / state table allows.

    If it doesn't work that way it would seem like a VERY tiny window of opportunity for someone to sneak in. Not to mention pretty odd.

    The though crossed my mind cause I've been doing a lot of experimenting which means lots of reloads.  I watched a DEFCON presentation a year or so  back.  Idon't remember much about it, except  that this temporary firewall outage vulnerability was what was used to perform an exploit. The comment was also madethat most consumer routers are vulnerable after a power failure for just that reason.  (Don't know if things have changed or if it applies to pfSends.)

    Small risk yes, but not insignificant… not going to loose much sleep over it, but if it's an issue would still like to know.

    @jahonix:

    Since the ruleset only allows traffic that's explicitly allowed I wouldn't consider this a possible insecure timeframe. But i don't know for sure, I guessed.

    Thanks for the comment…. good hypothesis, would be nice if someone who knows the source could comment.



  • The firewall defaults to deny, so until the ruleset it loaded it will not allow any traffic. When you apply changes it just switches from the previous ruleset to the new one. No temporary insecure condition exists.



  • @dotdash:

    The firewall defaults to deny, so until the ruleset it loaded it will not allow any traffic. When you apply changes it just switches from the previous ruleset to the new one. No temporary insecure condition exists.

    Thanks… what about during boot... before the firewall starts?  Are the interfaces still default deny?



  • You've seen too many … movies, haven't you?  :D

    Once again: no traffic can pass unless there's an allow rule. During boot there is no allow rule, hence no traffic passes.
    Think of pass rules as an active decision. This is not Windows with all kinds of service bindings to the ethernet connection.



  • @jahonix:

    You've seen too many … movies, haven't you?  :D

    Yup!  :)  But at least one was a DEFCON presentation, and if I remember correctly the router in questions was linux based which I know is a different animal.
    Seriously thanks for the answer.

    @jahonix:

    Once again: no traffic can pass unless there's an allow rule. During boot there is no allow rule, hence no traffic passes.
    Think of pass rules as an active decision. This is not Windows with all kinds of service bindings to the ethernet connection.

    I understand what you are saying about the firewall rules and how they work, so rule updates are safe.  I get that.

    What  about what about NO Firewall before it comes up during the boot process?  (That's why I asked the question again.)

    Or can that never happen?  Is pf backed into the kernel, and therefore active before network interfaces come online?

    Thanks…



  • To route traffic there has to be a route first.

    @guardian:

    What about NO Firewall before it comes up during the boot process?

    What do you expect?
    Who or what should take your evil packets and transport (route!) them to your private network? Merlin?



  • I can't address the exact startup sequence, but pf controls port fowarding and NAT. So, if for some reason pf was stopped/not active, only the firewall itself would be exposed. (Barring some sort of transparent setup).