Date: Mon, 23 Oct 2000 08:40:02 -0700 (PDT) From: Ruslan Ermilov <ru@sunbay.com> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/22238: User PPP "deny_incoming" option does not deny incoming connections Message-ID: <200010231540.IAA54834@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/22238; it has been noted by GNATS. From: Ruslan Ermilov <ru@sunbay.com> To: robmel@innotts.co.uk Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: bin/22238: User PPP "deny_incoming" option does not deny incoming connections Date: Mon, 23 Oct 2000 18:33:37 +0300 On Mon, Oct 23, 2000 at 10:25:27AM +0100, robmel@innotts.co.uk wrote: > > User PPP has the option to prevent any connections to be established from the > remote end. The options "nat enable yes" and "nat deny_incoming yes" should > place ppp in this state. It does not. PPP uses the libalias library which > correctly returns the status flag PKT_ALIAS_IGNORED when an incoming > connection is attempted. However ppp does not drop the packet as advertised. > > The implications of this are serious for users who believe they are behind > a one-way firewall. In fact, all their services which are not explicity > bound only to the loopback and/or internal interfaces are fully exposed on the > Internet and can be connected to. While this does not bypass any other > security which may be in place on these services it markedly increases their > ppp host's vulnerability to unauthorised access using other known or > unknown exploits. > We had the discussion recently with Brian Somers on this topic. Hopefully, we will come up with a solution shortly. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010231540.IAA54834>