Date: Tue, 25 Sep 2001 20:09:19 -0700 (PDT) From: Brian Whalen <bri@sonicboom.org> To: David Kelly <dkelly@grumpy.dyndns.org> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: natd/ipfw/sshd problem. Message-ID: <20010925200850.A61552-100000@cx175057-a.ocnsd1.sdca.home.com> In-Reply-To: <200109260307.f8Q37Ww18996@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I thought the thread was that potentially a few packets may be getting thru b4 the firewall loaded?? Brian "Sonic" Whalen Success = Preparation + Opportunity On Tue, 25 Sep 2001, David Kelly wrote: > Brian Whalen writes: > > Is anyone doing anything about that?? > [...] > > > > I find it interesting that somehow 27 packets got past 65000. Can only > > > > assume not all of the above rules were added at the same time. > > > > > > It is possible for packets to arrive before the firewall rules get > > > loaded. > > That's why the default is to deny all. Is exactly the same to IP from > the outside as if the interface was not up yet. > > Compile IPFW into the kernel and "deny all" will be in effect before > the interface is open for business. Load it via kld and you have a > moment of vulnerability during boot. > > -- > David Kelly N4HHE, dkelly@hiwaay.net > ===================================================================== > The human mind ordinarily operates at only ten percent of its > capacity -- the rest is overhead for the operating system. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010925200850.A61552-100000>