From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 3 15:38:17 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D572D16A407 for ; Tue, 3 Apr 2007 15:38:17 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (mx1.ethionet.et [213.55.64.53]) by mx1.freebsd.org (Postfix) with ESMTP id 12B3A13C44C for ; Tue, 3 Apr 2007 15:38:14 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (localhost [127.0.0.1]) by localhost.ethionet.et (Postfix) with ESMTP id B3B755111; Tue, 3 Apr 2007 18:34:30 +0300 (EAT) Received: from rogue.navcom.lan (unknown [213.55.64.98])by mx1.ethionet.et ( Postfix) with SMTP id 7BCBB50A8;Tue, 3 Apr 2007 18:34:29 +0300 (EAT) Received: by rogue.navcom.lan (Postfix, from userid 1001)id 8CADE17045; Tue, 3 Apr 2007 18:40:54 +0300 (EAT) Date: Tue, 3 Apr 2007 18:40:54 +0300 From: Mike Makonnen To: AT Matik Message-ID: <20070403154054.GA1468@rogue.navcom.lan> References: <200704021540.l32FerX8074400@freefall.freebsd.org> <200704021302 .52345.asstec@matik.com.br> <20070403100324.GA1710@rogue.navcom.lan> <20070 4030804.31819.asstec@matik.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200704030804.31819.asstec@matik.com.br> User-Agent: Mutt/1.4.2.2i X-Operating-System: FreeBSD/7.0-CURRENT (i386) X-imss-version: 2.46 X-imss-result: Passed X-imss-scores: Clean:99.90000 C:2 M:3 S:5 R:5 X-imss-settings: Baseline:4 C:3 M:3 S:4 R:3 (1.0000 1.0000) Cc: jonw@whoweb.com, freebsd-ipfw@freebsd.org Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 15:38:17 -0000 On Tue, Apr 03, 2007 at 08:04:31AM -0300, AT Matik wrote: > I see your point > but first tell me, how do you know that the rules are *successfully* loaded? > Sorry, I wrote that email from memory and thought that was how it operated. However, what it does is output a warning if the last rule is to deny all packets (btw, is that correct? I thought ipfw operated on a "first-match" basis, so there could be rules before that one to allow certain packets. The more I look at it, the more bogus it looks to me, but I'm not an ipfw user so... ). Anyways, I believe your original comment had to do with enabling the firewall in a precmd() subroutine. I suppose in the end it comes down to personal preference. It just seems "more correct" to me that the rules are loaded first and then the firewall is turned on, but I can see how someone else might disagree. I just thought of something else as well: Enabling the firewall and then loading the rules may introduce a brief window of vulnerablity where the firewall is enabled (default to allow) but no rules are loaded. Off course, enabling the firewall regardless of the outcome of the firewall script would probably introduce a much bigger window of vulnerability :-). In any case, since I'm not a regular ipfw user I don't feel comfortable making any more changes that might have unintended consequences. I'll leave it to someone more familiar with ipfw to comment on and commit any further changes. Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mmakonnen @ gmail.com | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 mtm @ FreeBSD.Org | FreeBSD - http://www.freebsd.org