Date: Mon, 8 Feb 1999 08:40:07 +0000 (GMT) From: "Open Systems Inc." <opsys@open-systems.net> To: Matt Behrens <matt@zigg.com> Cc: security@FreeBSD.ORG Subject: Re: bypassing "allow ip from any to any"? Message-ID: <Pine.BSF.3.96.990208083523.23016A-100000@freebsd.omaha.com> In-Reply-To: <Pine.BSF.4.05.9902080820170.2539-100000@megaweapon.zigg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 8 Feb 1999, Matt Behrens wrote: > yet this came across in my logs last night: > > xxx.xxx.xxx denied packets: > > 65535 2 139 deny ip from any to any > > I don't see how it could, unless someone was fudging with my ipfw > config. Or do I just not know something? (I do run options NETATALK > here, could that somehow have snuck in?) Spooky huh? :-) What your seeing is what I and others discussed a few months back. What happens is, you default your kernel to open or closed. Yous et up your rules and then you reboot. On reboot there is a small window where the kernel is loaded and packets are allowed or denied based on wether your kernel is configured for deny all or allow all, BEFORE your rules are loaded from rc.firewall. I.e, kernel loads, a few packets get received, screen saver loads, sendmail loads, rc.firewall loads. I make my kernel default to deny, and have 2 deny all rules in my rc.firewall. This should catch everything: 65534 0 0 deny log ip from any to any <-- this rule will deny everything once rc.firewall is loaded. 65535 3 244 deny ip from any to any <--- this rule catches the packets that slip through the window on bootup. Make sense? Chris -- "Join Team-FreeBSD on cracking RC5-64! grab you client now and HELP OUT! http://www.distributed.net/cgi/select.cgi" ===================================| Open Systems FreeBSD Consulting. FreeBSD 2.2.8 is available now! | Phone: 402-573-9124 -----------------------------------| 3335 N. 103 Plaza #14, Omaha, NE 68134 FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net http://www.freebsd.org | Consulting, Network Engineering, Security ===================================| http://open-systems.net -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQENAzPemUsAAAEH/06iF0BU8pMtdLJrxp/lLk3vg9QJCHajsd25gYtR8X1Px1Te gWU0C4EwMh4seDIgK9bzFmjjlZOEgS9zEgia28xDgeluQjuuMyUFJ58MzRlC2ONC foYIZsFyIqdjEOCBdfhH5bmgB5/+L5bjDK6lNdqD8OAhtC4Xnc1UxAKq3oUgVD/Z d5UJXU2xm+f08WwGZIUcbGcaonRC/6Z/5o8YpLVBpcFeLtKW5WwGhEMxl9WDZ3Kb NZH6bx15WiB2Q/gZQib3ZXhe1xEgRP+p6BnvF364I/To9kMduHpJKU97PH3dU7Mv CXk2NG3rtOgLTEwLyvtBPqLnbx35E0JnZc0k5YkABRO0JU9wZW4gU3lzdGVtcyA8 b3BzeXNAb3Blbi1zeXN0ZW1zLm5ldD4= =BBjp -----END PGP PUBLIC KEY BLOCK----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990208083523.23016A-100000>