From owner-freebsd-security Wed Jun 14 11:37: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from ixori.demon.nl (ixori.demon.nl [195.11.248.5]) by hub.freebsd.org (Postfix) with ESMTP id 1964737B5D5 for ; Wed, 14 Jun 2000 11:36:55 -0700 (PDT) (envelope-from bart@ixori.demon.nl) Received: from smtp-relay by ixori.demon.nl (8.9.3/8.9.2) with ESMTP id UAA08006; Wed, 14 Jun 2000 20:40:06 +0200 (CEST) (envelope-from bart@ixori.demon.nl) Received: from network (intranet) by smtp-relay (Bart's intranet smtp server) Message-ID: <3947D1C3.517223F3@ixori.demon.nl> Date: Wed, 14 Jun 2000 20:41:07 +0200 From: Bart van Leeuwen Reply-To: bart@ixori.demon.nl Organization: IxorI X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Gabor Zahemszky Cc: freebsd-security@freebsd.org Subject: Re: rc.network firewall init References: <20000614171130.E471@zg.CoDe.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gabor Zahemszky wrote: > 1) Well, in 4.x ipfw _is_ statefull, but as a new feature, maybe not so > many people use it. While true, this still leaves a short window during which communications are possible. This window is only really closed after all deny/reject/icmp unreach/reset rules have been loaded (or at least a deny all from any to any is added at the end) and will be 'open' again during flsh/reload. On a 486 or small pentium system that can be quite a bit more then a fraction of a second. default to accept is imho simply not suitable for a setup where such a window might be an issue. This is regardless of using a kld or not. > > 2) This problem exists, if somebody is using the other firewall, ipf, > as it's default actions are pass (yes, we can change it with that > non-documented option) > options IPFILTER_DEFAULT_BLOCK #kernel ipfilter default block Well... wouldn't documenting the feature fix that? ;-) It is usefull enough I'd think.. > Conclusion: don't use a KLD firewall! (or maybe somebody will restructure > out rc.network script, and put that changes, which will make it easier > to use ipf instead of ipfw.) Nah, just load it from /boot/loader.conf Add a line like: ipfw_load="YES" and it will be loaded and active even before init runs. Still won't help a thing with default to accept tho. On another note, I never saw the point of using a kld when ipfw is used for security purposes, but that might just be me. The only reason I can think off is being able to boot the machine to single user mode without ipfw support, but I never encountered a situation where i might want to do that ;-) Oh well, and of course someone might want to do this in order to not have to compile a new kernel... well... the time it takes to build that kernel is likely to be very short when compared to the time it takes to create a decent ipfw ruleset, and well worth the efford I think. -- Bart van Leeuwen ----------------------------------------------------------- mailto:bart@ixori.demon.nl - http://www.ixori.demon.nl/ ----------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message