From owner-freebsd-security Thu Oct 18 10:40:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (straylight.ringlet.net [217.75.134.254]) by hub.freebsd.org (Postfix) with SMTP id D5A5037B401 for ; Thu, 18 Oct 2001 10:40:21 -0700 (PDT) Received: (qmail 3111 invoked by uid 1000); 18 Oct 2001 17:40:16 -0000 Date: Thu, 18 Oct 2001 20:40:16 +0300 From: Peter Pentchev To: xlr82xs@sdf.lonestar.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Using IPFW with dynamic IP Message-ID: <20011018204016.B564@straylight.oblivion.bg> Mail-Followup-To: xlr82xs@sdf.lonestar.org, freebsd-security@FreeBSD.ORG References: <200110180254.f9I2sU809937@tinny.eis.net.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200110180254.f9I2sU809937@tinny.eis.net.au>; from xlr82xs@eis.net.au on Thu, Oct 18, 2001 at 12:54:30PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Oct 18, 2001 at 12:54:30PM +1000, David Trzcinski wrote: > Personly, i would recomend useing /etc/ppp/ppp.linkup with the MYADDR > variable > > ie: !bg /sbin/ipfw (or wherever your ipfw program resides...) add 20 > allow tcp from any to MYADDR in via INTERFACE established > > though, I have found that SOMETIMES, the ppp script doesn't actually > add all of the rules...mine are numbered in incresments of 10, but on > the rare occasion, several rules may be left out so i go from say 60 to > 110 Is there a reason you are using '!bg', and not, say, 'shell'? I personally would be more comfortable with 'shell', knowing that ppp would actually wait for each rule addition to complete, and knowing that all the rules will be added in the correct order. With '!bg', you run the chance that a higher-numbered rule might be added before a lower-numbered one, providing a window during which either a malicious packet could sneak in, or a valid packet could be denied. Actually, I would be most comfortable using 'shell ipfw /path/to/rules', thus saving a shell and ipfw invocation for each single rule. G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message