From owner-freebsd-questions Tue Sep 25 20: 7:52 2001 Delivered-To: freebsd-questions@freebsd.org Received: from grumpy.dyndns.org (user-24-214-57-209.knology.net [24.214.57.209]) by hub.freebsd.org (Postfix) with ESMTP id 68FDF37B407 for ; Tue, 25 Sep 2001 20:07:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.6/8.11.6) with ESMTP id f8Q37Ww18996; Tue, 25 Sep 2001 22:07:32 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200109260307.f8Q37Ww18996@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Brian Whalen Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd/ipfw/sshd problem. In-Reply-To: Message from Brian Whalen of "Tue, 25 Sep 2001 19:48:15 PDT." <20010925194752.S61552-100000@cx175057-a.ocnsd1.sdca.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Sep 2001 22:07:32 -0500 From: David Kelly Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Brian Whalen writes: > Is anyone doing anything about that?? [...] > > > I find it interesting that somehow 27 packets got past 65000. Can only > > > assume not all of the above rules were added at the same time. > > > > It is possible for packets to arrive before the firewall rules get > > loaded. That's why the default is to deny all. Is exactly the same to IP from the outside as if the interface was not up yet. Compile IPFW into the kernel and "deny all" will be in effect before the interface is open for business. Load it via kld and you have a moment of vulnerability during boot. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message