Date: Sun, 21 Nov 99 11:14:07 +0100 From: Adrian Steinmann <ast@marabu.ch> To: security@FreeBSD.ORG Subject: Re: ipfw and ifconfig Message-ID: <199911211014.LAA24043@marabu.marabu.ch>
next in thread | raw e-mail | index | archive | help
The discussion on why FreeBSD does ifconfig before ipfw and if it
is secure depending on whether the kernel denies by default prompts
me to propose that we add to /etc/rc.firewallthe boilerplate attached
below: it takes down the interfaces to (re)load the rules, ignores
HUP so reloading via net is possible, and of course brings back up
the interfaces after reloading. This makes the reloading of IPFW
rules look like an "atomic transaction" from the outside, and TCP
sessions are not erroniously denied due to race conditions.
We've done good mileage using this, but as always, YMMV.
Adrian
_________________________________________________________________________
Dr. Adrian Steinmann Steinmann Consulting Apollostrasse 21 8032 Zurich
Tel +41 1 380 30 83 Fax +41 1 380 30 85 Mailto:ast@marabu.ch
############
# routine to set interfaces down and up
interfaces ()
{
if [ "x$firewall_quiet" = "xYES" ]; then
ifcreport=":"
else
ifcreport=/sbin/ifconfig
fi
case "x$1" in
xup)
for i in `/sbin/ifconfig -dl`; do
( /sbin/ifconfig $i | /usr/bin/fgrep -qs inet ) 2>/dev/null &&
( /sbin/ifconfig $i up && $ifcreport $i )
done
;;
xdown)
for i in `/sbin/ifconfig -ul`; do
( /sbin/ifconfig $i | /usr/bin/fgrep -qs inet ) 2>/dev/null &&
( /sbin/ifconfig $i down && $ifcreport $i )
done
;;
*)
echo "USAGE: interfaces [up|down]" >&2
;;
esac
} # interfaces ()
############
# START
trap : 1
interfaces down
.... rules ...
############
# DONE
interfaces up
# record what we have done
$fwcmd show 2>&1 | /usr/bin/logger
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911211014.LAA24043>