Date: Thu, 18 Oct 2001 20:40:16 +0300 From: Peter Pentchev <roam@ringlet.net> To: xlr82xs@sdf.lonestar.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Using IPFW with dynamic IP Message-ID: <20011018204016.B564@straylight.oblivion.bg> In-Reply-To: <200110180254.f9I2sU809937@tinny.eis.net.au>; from xlr82xs@eis.net.au on Thu, Oct 18, 2001 at 12:54:30PM %2B1000 References: <200110180254.f9I2sU809937@tinny.eis.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 18, 2001 at 12:54:30PM +1000, David Trzcinski wrote: > Personly, i would recomend useing /etc/ppp/ppp.linkup with the MYADDR > variable > > ie: !bg /sbin/ipfw (or wherever your ipfw program resides...) add 20 > allow tcp from any to MYADDR in via INTERFACE established > > though, I have found that SOMETIMES, the ppp script doesn't actually > add all of the rules...mine are numbered in incresments of 10, but on > the rare occasion, several rules may be left out so i go from say 60 to > 110 Is there a reason you are using '!bg', and not, say, 'shell'? I personally would be more comfortable with 'shell', knowing that ppp would actually wait for each rule addition to complete, and knowing that all the rules will be added in the correct order. With '!bg', you run the chance that a higher-numbered rule might be added before a lower-numbered one, providing a window during which either a malicious packet could sneak in, or a valid packet could be denied. Actually, I would be most comfortable using 'shell ipfw /path/to/rules', thus saving a shell and ipfw invocation for each single rule. G'luck, Peter -- This sentence no verb. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011018204016.B564>