From owner-freebsd-bugs Mon Oct 23 8:40: 6 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 10EB737B479 for ; Mon, 23 Oct 2000 08:40:02 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id IAA54834; Mon, 23 Oct 2000 08:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Mon, 23 Oct 2000 08:40:02 -0700 (PDT) Message-Id: <200010231540.IAA54834@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Ruslan Ermilov Subject: Re: bin/22238: User PPP "deny_incoming" option does not deny incoming connections Reply-To: Ruslan Ermilov Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/22238; it has been noted by GNATS. From: Ruslan Ermilov To: robmel@innotts.co.uk Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: bin/22238: User PPP "deny_incoming" option does not deny incoming connections Date: Mon, 23 Oct 2000 18:33:37 +0300 On Mon, Oct 23, 2000 at 10:25:27AM +0100, robmel@innotts.co.uk wrote: > > User PPP has the option to prevent any connections to be established from the > remote end. The options "nat enable yes" and "nat deny_incoming yes" should > place ppp in this state. It does not. PPP uses the libalias library which > correctly returns the status flag PKT_ALIAS_IGNORED when an incoming > connection is attempted. However ppp does not drop the packet as advertised. > > The implications of this are serious for users who believe they are behind > a one-way firewall. In fact, all their services which are not explicity > bound only to the loopback and/or internal interfaces are fully exposed on the > Internet and can be connected to. While this does not bypass any other > security which may be in place on these services it markedly increases their > ppp host's vulnerability to unauthorised access using other known or > unknown exploits. > We had the discussion recently with Brian Somers on this topic. Hopefully, we will come up with a solution shortly. -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message