[OpenWrt-Devel] Sysupgrade and Failed to kill all processes

Michael Richardson mcr at sandelman.ca
Thu May 14 10:23:13 EDT 2020

Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
    >> A reboot with some logging on disk would allow for remote sysupgrades
    >> to have some kind of recoverability.

    > What if the failure left the box in a partially compromised state?
    > Would you want your firewall to “fail open”?  I wouldn’t.

It depends a lot on the relative cost of sending a service person there to
repair the device (push the button, reflash or replace the device), vs the
risk of the box not operating at all.

In the NAT44 home router situation, the lack of an iptables to do MASQ or
port forwarding results in the "firewall" failing closed.
No packets traverse, but the box might be accessible by network for repairs
from one side or the other.

In the IPv6 and routed IPv4 situation, if packet forwarding is enabled, then
the box might continue to provide critical functionality, and it might be
possible to repair it remotely.

In the case where this isn't a router, but a NAS, or some other IoT device,
then the lack of a firewall, if the device has multiple layers of security
(no stupid default passwords, or no passwords at all) result in a lowered
level of security, but not zero security.

In general, I think that this decision needs to up-leveled to as a build
option.  There are many cases where I would agree: you want the box to die
rather than potentially come up insecurely.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20200514/4eb79cd0/attachment.sig>
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list