Bug #10957
closed
Improvement of Bogon tables handling needed
0%
Description
As intro. A firewall should not pass traffic before all basic things like firewall-rules, routing tables, security vital packages, etc., are in place. This holds for initial install, restarts updates etc. Exception could be the management of the firewall itself, since you must be able to manage the router/firewall. Recently I noticed two bogon table related issues which violate this idea:
1) The firewall did not function correctly as a consequence of a higher than expected no of Bogons(V6)-rules.
To prevent this I suggest:
a) to check the rule number against the max number of rules. And to stop loading if the maximum is reached (generating an error)
b) to issue a warning if the rule number reaches 2/3 of the max table size
2) After a new installation, e.g. when using existing config, the firewall did start without Bogons(V6) rules
To prevent this I suggest:
that the firewall should check if the needed rules (Bogons and may be other types) are present. If not they should be (down)loaded before the firewall becomes operational. Actual work around here is to install the tables manually directly after startup (Diagnostics => Tables => BogonsV6 => Update)
I did set the prio as normal and not as low, because it is security related
Updated by Jim Pingle about 5 years ago
- Status changed from New to Needs Patch
- Target version deleted (
2.5.0)
Feel free to submit a PR which implements a proposed change.
Updated by Viktor Gurov about 5 years ago
a) to check the rule number against the max number of rules. And to stop loading if the maximum is reached (generating an error)
it already contains the max number check:
https://github.com/pfsense/pfsense/blob/5722cba4628dab13b198d75bec87cf95898db002/src/etc/rc.update_bogons.sh#L138-L150