Berkeley Packet Filter (BPF) unset by default to avoid security vulnerabilities, why?

[seanm]

I'm just learning about iocage and am unsure about the Berkeley Packet Filter (BPF) option.

The docs here: https://www.ixsystems.com/documentation/freenas/11.2-U6/jails.html

say: "Use the Berkeley Packet Filter to data link layers in a protocol independent fashion. Unset by default to avoid security vulnerabilities. See BFP(4) for more details"

The man page is quite technical and does not include the strings "secur" or "vuln".

What is this warning about?

Thanks

 

[dlavigne]

The first note at https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dhcp.html is a good summary.

 

[seanm]

"It should be noted that bpf also allows privileged users to run network packet sniffers on that system."

So if an adversary gets root in a jail, he can also sniff packets? Only those in and out of the jail, or of the FreeNAS host too?

 

[dlavigne]

Whatever is on the wire on that network. Environments where that is a security risk should either use statis IPs (instead of DHCP) or ensure sensitive data is encrypted before going over the wire.