[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

[Rusty Bird]

Lennart Poettering:
> On Wed, 11.06.14 11:13, Rusty Bird (rustybird at openmailbox.org) wrote:
> 
>> Lennart Poettering:
>>> I am not convinced that the firewall being broken should break the
>>> boot.
>>
>> It shouldn't! But there should be at least an option (arguably the
>> default) to break *connectivity*.
> 
> well, but that's better solved with the firewalling logic itself. For
> example by first installing a drop-all rule in the tables, which is
> finally removed when all updated have been made. Should the script fail,
> then the firewall will not let any data through, and you should be fine.

I don't think it's possible to implement a fail-closed logic inside the
firewall payload: For example, the netfilter module could be missing
after a kernel upgrade, or a dynamically linked iptables binary could be
broken by a library upgrade, etc. Then you'll be unable to insert a
drop-all rule.

> I am not convinced that the init system should be involved in such a
> logic.

Isn't it troubling that the status quo requires so much unintuitive
and undocumented busywork from each user? For a security-critical
component! I mean, let's survey the landscape:

- Arch and Gentoo ship unsafe iptables-restore services, as do probably
most other distros.

- Folks on this mailing list who are more familiar with systemd than
I'll ever be proposed sensible looking dependency specifications, but
they turned out to be unsafe, too.

These DIY contraptions have some razor sharp edges. So why not factor
out the correct logic, at seemingly no cost beyond the minimal
overhead for an empty target?

Rusty

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140611/d7562f18/attachment.sig>