Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 21 Aug 2001 13:56:23 +0300
From:      Peter Pentchev <roam@ringlet.net>
To:        Bart Matthaei <bart@xs4nobody.nl>
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPfw and DHCP
Message-ID:  <20010821135623.E7824@ringworld.oblivion.bg>
In-Reply-To: <20010821124202.B84400@heresy.xs4nobody.nl>; from bart@xs4nobody.nl on Tue, Aug 21, 2001 at 12:42:03PM %2B0200
References:  <20010821124202.B84400@heresy.xs4nobody.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Aug 21, 2001 at 12:42:03PM +0200, Bart Matthaei wrote:
> Run dhclient before you load the firewall rules..
> 
> and use recv and via <if> instead of ip adresses :)

recv and via <if> do not provide the security that an IP address
provides.  In particular, both 'recv' and 'via <if>' fail to protect
against the following case:

NIC 1	xl0	192.168.0.13		RFC1918 LAN
NIC 2	xl1	128.128.128.128		public

ipfw add allow any recv via xl1

This would let a packet with a destination address of 192.168.0.13
via your public interface.  And believe me, the chances of such a
packet appearing on the wire are not so slim these days :)

A better solution would be to have dhclient run *after* the initial
firewall setup (after the firewall rulesets are flushed), and
define hooks for obtaining/renewing/expiring a lease, which add or
remove firewall rules as appropriate.  Unfortunately, I've never done
DHCP hooks, and I have no idea on how exactly to provide those.
(Maybe it's as simple as putting something similar to /sbin/dhclient-script
into /etc/dhclient-exit-hooks?)

G'luck,
Peter

-- 
Nostalgia ain't what it used to be.

> On Tue, Aug 21, 2001 at 11:53:43AM +0200, Lasse Osterberg wrote:
> > Hi All,
> > 
> > Is there anyway at system startup and/or via a cron job to pass my DHCP
> > ipaddress from my external interface to rc.firewall?
> > So my firewall rules still work if my external DHCP lease gets a new
> > ipaddress.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821135623.E7824>