Date: Tue, 25 Sep 2001 22:07:32 -0500 From: David Kelly <dkelly@grumpy.dyndns.org> To: Brian Whalen <bri@sonicboom.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd/ipfw/sshd problem. Message-ID: <200109260307.f8Q37Ww18996@grumpy.dyndns.org> In-Reply-To: Message from Brian Whalen <bri@sonicboom.org> of "Tue, 25 Sep 2001 19:48:15 PDT." <20010925194752.S61552-100000@cx175057-a.ocnsd1.sdca.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Whalen writes: > Is anyone doing anything about that?? [...] > > > I find it interesting that somehow 27 packets got past 65000. Can only > > > assume not all of the above rules were added at the same time. > > > > It is possible for packets to arrive before the firewall rules get > > loaded. That's why the default is to deny all. Is exactly the same to IP from the outside as if the interface was not up yet. Compile IPFW into the kernel and "deny all" will be in effect before the interface is open for business. Load it via kld and you have a moment of vulnerability during boot. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109260307.f8Q37Ww18996>