From owner-freebsd-net Wed Apr 25 11:55: 2 2001 Delivered-To: freebsd-net@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id 47E6937B422; Wed, 25 Apr 2001 11:54:57 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f3PItCA31666; Wed, 25 Apr 2001 13:55:12 -0500 Message-ID: <3AE71D7F.14ECB429@aurora.regenstrief.org> Date: Wed, 25 Apr 2001 18:54:55 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-small@freebsd.org Subject: DHCP vulnerabilities ... Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm just about configuring a PicoBSD-based VPN gateway settop box kind of thing :-). I am dealing with cable modem ISPs and decided to do it the right way, i.e. DHCP. I discovered some problems with DHCP during the setup phase, where the machine is in a weird state, the firewall may not be configured right and neither are the IPsec policies. During that short time frame after DHCP has assigned a new address and the completion of the IPsec ipf stuff called from /etc/dhclinent-exit-hooks the interface is up and may be unprotected. It would be nice if there was a way to keep the re-configured interface down and only bring it up after all is well in /etc/dhclient-exit-hooks. Sure I can (and will) do that in my dhclient-script ("ifconfig if0 down" "ifconfig if0 up",) but just wanted folks to know about this. regards -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message