From 1831fb6d973a4471e70038bb5efef901075b2caa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Fort?= <95703796+nicolas-fort@users.noreply.github.com> Date: Sat, 17 Aug 2024 05:23:09 -0300 Subject: [PATCH] Firewall: add warning message, saying that during boot, all interfaces are loaded before firewall. (#1524) --- docs/configuration/firewall/index.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 9f21a772..a5b88839 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -4,6 +4,11 @@ Firewall ######## +.. warning:: Due to a race condition that can lead to a failure during boot + process, all interfaces are initialized before firewall is configured. This + leads to a situation where the system is open to all traffic, and can be + considered as a security risk. + As VyOS is based on Linux it leverages its firewall. The Netfilter project created iptables and its successor nftables for the Linux kernel to work directly on packet data flows. This now extends the concept of