From owner-freebsd-stable@FreeBSD.ORG Sat Mar 17 00:28:24 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 27CEB16A401 for ; Sat, 17 Mar 2007 00:28:24 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from rwcrmhc15.comcast.net (rwcrmhc15.comcast.net [216.148.227.155]) by mx1.freebsd.org (Postfix) with ESMTP id 12E7313C45A for ; Sat, 17 Mar 2007 00:28:24 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from icarus.home.lan (c-71-198-0-135.hsd1.ca.comcast.net[71.198.0.135]) by comcast.net (rwcrmhc15) with ESMTP id <20070317002823m1500eh86ve>; Sat, 17 Mar 2007 00:28:23 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 5AA6C1FA03D; Fri, 16 Mar 2007 17:28:16 -0700 (PDT) Date: Fri, 16 Mar 2007 17:28:16 -0700 From: Jeremy Chadwick To: JoaoBR Message-ID: <20070317002816.GA40565@icarus.home.lan> Mail-Followup-To: JoaoBR , freebsd-stable@freebsd.org References: <200703161152.l2GBqR9q065684@lurza.secnetix.de> <200703161800.30583.joao@matik.com.br> <20070316215017.GA38114@icarus.home.lan> <200703162033.01586.joao@matik.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200703162033.01586.joao@matik.com.br> X-PGP-Key: http://jdc.parodius.com/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-stable@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Mar 2007 00:28:24 -0000 On Fri, Mar 16, 2007 at 08:33:01PM -0300, JoaoBR wrote: > On Friday 16 March 2007 18:50, Jeremy Chadwick wrote: > > Okay, imagine this order: > > > > 1) Kernel starts > > 2) Network driver is loaded > > 3) Link is brought up > > 4) Interface is configured for IP (manually or via DHCP) > > 5) Firewall rules (ipfw or pf) are applied > > > > Do you realise that between steps #4 and steps #5 there is a small > > window of time where someone may be able to send packets to your machine > > and get responses which would normally be blocked by ipfw/pf? > > nono that is not exactly how it works > > unless you change ipfw's default behaviour which is deny all from any to any, > nothing goes to this machine because by default everything is blocked until > you permit it You're absolutely correct, however your original post seems to have taken many of us by surprise, causing some of us (at least me!) to assume that you've changed the default method to allow. I'm obviously misunderstanding, so I apologise for that, but I hope you can see the reasoning behind my comments with what I knew at the time. :) -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |