Google Git
Sign in
fuchsia / integration / edc82714c453a81062a07938e8f984e2bc5251c3
commitedc82714c453a81062a07938e8f984e2bc5251c3[log] [tgz]
authorToshi Kikuchi <toshik@fuchsia.infra.roller.google.com>Thu Jan 21 02:40:06 2021 +0000
committerCopybara-Service <copybara-worker@google.com>Wed Jan 20 18:41:15 2021 -0800
treec5e91e3754f6ded7e226a5b6a5f7857f192d616d
parent1dccc6d0765ac3a9adce0d7b60450d223b485bff [diff]
[roll] Roll fuchsia [netcfg] Update the netcfg to be default deny.

This is a reland of c04b1577c53206e2b1affa9e377f8ef41901168b with
2 changes:

- Add "no state" on "pass in" rules.
- Add "wlan" to "filter_enabled_interface_types" in default.json.

Adding "no state" on "pass in" rules stops the state tracker to be
enabled for a tcp connection. We observed the state tracker reported
"bad TCP state" error and dropped some packets strangely. That was
the reason for the previous revert.

The second change is necessary to enable filter rules on wlan
interface.

Tested by paving on a local device and connected to WiFi AP.

Original change's descriptin:
> Updates the netcfg firewall to be default deny with a broad list of open
> ports in contrast to default allow.
>
> Test:
> Tested by paving a local device, connecting to home wifi network, and
> running nmap.
> ----
> arkay@arkay-macbookpro:~$ sudo nmap 192.168.86.55 -p-
> Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-13 14:37 PST
> Nmap scan report for 192.168.86.55
> Host is up (0.0061s latency).
> Not shown: 65525 closed ports
> PORT      STATE SERVICE
> 22/tcp    open  ssh
> 8007/tcp  open  ajp12
> 8008/tcp  open  http
> 8009/tcp  open  ajp13
> 8012/tcp  open  unknown
> 8443/tcp  open  https-alt
> 9000/tcp  open  cslistener
> 9222/tcp  open  teamcoherence
> 10001/tcp open  scp-config
> 10101/tcp open  ezmeeting-2
> MAC Address: F8:0F:F9:64:9E:41 (Unknown)
>
> Nmap done: 1 IP address (1 host up) scanned in 216.77 seconds
>
> Original-Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/457660

Original-Bug: 67895
Original-Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/472502
Original-Revision: a5a6a5b65dd5fee1ab3dead876595b6a9b325a10
GitOrigin-RevId: 9e56e133ad2d25d7f2c2bf3416e9bf491cb6ed16
Change-Id: I6d55e5c8aab5b4b670fa708e8d43a54041260eef
1 file changed
tree: c5e91e3754f6ded7e226a5b6a5f7857f192d616d
  1. garnet/
  2. infra/
  3. peridot/
  4. third_party/
  5. topaz/
  6. zircon/
  7. flower
  8. jiri.lock
  9. minimal
  10. prebuilts
  11. README.md
  12. stem
  13. test_durations
README.md

Integration

This repository contains Fuchsia's Global Integration manifest files.

Making changes

All changes should be made to the internal version of this repository. Our infrastructure automatically updates this version when the internal one changes.

Currently all changes must be made by a Google employee. Non-Google employees wishing to make a change can ask for assistance via the IRC channel #fuchsia on Freenode.

Obtaining the source

First install Jiri.

Next run:

$ jiri init
$ jiri import minimal https://fuchsia.googlesource.com/integration
$ jiri update

Third party

Third party projects should have their own subdirectory in ./third_party.