Date: Wed, 14 Jun 2000 20:41:07 +0200 From: Bart van Leeuwen <bart@ixori.demon.nl> To: Gabor Zahemszky <ZGabor@CoDe.hu> Cc: freebsd-security@freebsd.org Subject: Re: rc.network firewall init Message-ID: <3947D1C3.517223F3@ixori.demon.nl> References: <Pine.BSF.4.21.0006131512000.76423-100000@ouch.Oof.NET> <20000614171130.E471@zg.CoDe.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
Gabor Zahemszky wrote: > 1) Well, in 4.x ipfw _is_ statefull, but as a new feature, maybe not so > many people use it. While true, this still leaves a short window during which communications are possible. This window is only really closed after all deny/reject/icmp unreach/reset rules have been loaded (or at least a deny all from any to any is added at the end) and will be 'open' again during flsh/reload. On a 486 or small pentium system that can be quite a bit more then a fraction of a second. default to accept is imho simply not suitable for a setup where such a window might be an issue. This is regardless of using a kld or not. > > 2) This problem exists, if somebody is using the other firewall, ipf, > as it's default actions are pass (yes, we can change it with that > non-documented option) > options IPFILTER_DEFAULT_BLOCK #kernel ipfilter default block Well... wouldn't documenting the feature fix that? ;-) It is usefull enough I'd think.. > Conclusion: don't use a KLD firewall! (or maybe somebody will restructure > out rc.network script, and put that changes, which will make it easier > to use ipf instead of ipfw.) Nah, just load it from /boot/loader.conf Add a line like: ipfw_load="YES" and it will be loaded and active even before init runs. Still won't help a thing with default to accept tho. On another note, I never saw the point of using a kld when ipfw is used for security purposes, but that might just be me. The only reason I can think off is being able to boot the machine to single user mode without ipfw support, but I never encountered a situation where i might want to do that ;-) Oh well, and of course someone might want to do this in order to not have to compile a new kernel... well... the time it takes to build that kernel is likely to be very short when compared to the time it takes to create a decent ipfw ruleset, and well worth the efford I think. -- Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3947D1C3.517223F3>