Do not enable Berkeley Packet Filter by default in new UI
Jails -> Add Basic and Wizard
The Berkeley Packet Filter (BPF) is set by default.
BPF should not be set by default as it can pose a security risk.
BPF should be set when DHCP Autoconfigure IPv4 is set.
The BPF checkbox should behave the same way as the VNET checkbox
This screenshot was taken on first entry to the Advanced Jail Creation Wizard.
#8 Updated by Timothy Moore II almost 2 years ago
- Status changed from Ready for Testing to Failed Testing
Testing with FreeNAS system updated to FreeNAS-11.2-MASTER-201809140904:
Go to Jails > Add. Use the wizard to create a simple jail with manual network settings. After creation, edit the jail to view its settings. Find Berkeley Packet Filter setting enabled. Further investigation shows that if DHCP is set at any point, then VNET and Berkeley Packet Filter are also set, but unsetting DHCP leaves both VNET and Berkeley Packet Filter set.
Suggestion: In addition to updating the button behavior, it might be good to add the Berkeley Packet Filter setting to the Jail creation wizard. Then the user can see what changes settings-wise when DHCP is set.
#9 Updated by Michael Reynolds almost 2 years ago
To clarify BPF was enabled when entering the Wizard and before DHCP was enabled.
BPF should not be enabled until the DHCP option is set.
Unchecking DHCP does leave the VNET and BPF options set.
I thought there was a ticket for that already but could be wrong.
I'm not sure that VNET and BPF should be unset if DHCP is unchecked as VNET and BPF can be used without DHCP. (When a static IP is configured for example)
#10 Updated by Lola Yang almost 2 years ago
Yes, Mike is correct.
1. BPF should not be enabled until the DHCP option is set.
2. VNET and BPF can be used without DHCP, so in some situation, auto unset VNET and BPF if DHCP is unchecked is not correct.
And confirmed with Brandon, unsetting DHCP leaves both VNET and Berkeley Packet Filter set won't leads to any problems.
#11 Updated by Timothy Moore II almost 2 years ago
- Status changed from Failed Testing to Passed Testing
Confirmed no additional button behavior changes are forthcoming. Retest with FreeNAS Mini updated to FreeNAS-11.2-MASTER-201809180851:
Go to Jails > Add Wizard. Create simple jail 43112 with 11.2-RELEASE and no configured network settings. Edit jail and confirm Berkeley Packet Filter is not set.