Contributed by merdely on from the scary-network-stories dept.
Ray Percival writes:
It all started when my PFY and I were asked to figure out how to filter on MAC addresses for a meshed wireless network that we had designed and built in the recent past. Yes, I'm well aware that filtering on MACs is pretty silly, but our options were closed on that front as the request for it was coming from folks above our boss who were very unlikely to listen to reason on this subject. So we set out to find a cool answer to a stupid question.
Ray continues his story explaining how he found a bug, it was confirmed and fixed.
Since we were already running OpenBSD on the DHCP server for that network that seemed the obvious place to start looking. I recalled reading an article about Chris Kuethe's (ckuethe@) work on dhcpd and pf integration and, to be honest, had been hoping for an excuse to play with it for some time. So I set out to build a proof of concept. Setting up the dhcpd to only serve IPs to boxes that we had given it MACs for was easy, thanks to the excellent OpenBSD manpages (dhcpd.conf(5)), the problem was figuring out how to make pf only allow people who had gotten an IP from the server to have access to the network beyond itself.
This is where Chris' work on dhcpd came in. He had created a patch that was committed that allowed dhcpd to pass information about abandoned IPs and IPs that it had leases for to pf tables. Which makes it very easy to filter on those IPs. [-L, -A and -C options explained in dhcpd(8)] After writing a few pf rules, starting dhcpd, and having my test laptop pull an address from my shiny new server it all failed to work. After troubleshooting for a while it became clear that the dhcpd wasn't populating the table and that if I populated the table by hand the pf rules worked.
So I did what any good admin would do: bitched about it on irc. Chris assured me that it worked on his server, Mike Erdely tested it on a box of his and confirmed that it didn't work for him either. At this point Chris suggested looking at pfutils.c. Nicholas Marriott started to do so and a few minutes later reported that as near as he could tell you had to use both -A and -L. For this project I was only using -L. I tested with that and things started working.
And with that the bug had been found and I had a workaround that was more than good enough till it's patched. Try doing that with a closed source product.
Thanks to everybody involved, even those who just idled.
Within 24 hours, ckuethe@ had a fix created, tested and committed.
(Comments are closed)