From owner-freebsd-security Tue Aug 21 4: 0:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from xs4nobody.nl (xs4nobody.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id B76E737B412 for ; Tue, 21 Aug 2001 04:00:17 -0700 (PDT) (envelope-from bart@xs4nobody.nl) Received: (qmail 84552 invoked by uid 1000); 21 Aug 2001 11:00:16 -0000 Date: Tue, 21 Aug 2001 13:00:16 +0200 From: Bart Matthaei To: Peter Pentchev Cc: freebsd-security@freebsd.org Subject: Re: IPfw and DHCP Message-ID: <20010821130016.A84537@heresy.xs4nobody.nl> Reply-To: Bart Matthaei References: <20010821124202.B84400@heresy.xs4nobody.nl> <20010821135623.E7824@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010821135623.E7824@ringworld.oblivion.bg>; from roam@ringlet.net on Tue, Aug 21, 2001 at 01:56:23PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ipfw add deny all from 192.0.0.0/8 to any via xl1 nuff said :) rgds, Bart On Tue, Aug 21, 2001 at 01:56:23PM +0300, Peter Pentchev wrote: > On Tue, Aug 21, 2001 at 12:42:03PM +0200, Bart Matthaei wrote: > > Run dhclient before you load the firewall rules.. > > > > and use recv and via instead of ip adresses :) > > recv and via do not provide the security that an IP address > provides. In particular, both 'recv' and 'via ' fail to protect > against the following case: > > NIC 1 xl0 192.168.0.13 RFC1918 LAN > NIC 2 xl1 128.128.128.128 public > > ipfw add allow any recv via xl1 > > This would let a packet with a destination address of 192.168.0.13 > via your public interface. And believe me, the chances of such a > packet appearing on the wire are not so slim these days :) > > A better solution would be to have dhclient run *after* the initial > firewall setup (after the firewall rulesets are flushed), and > define hooks for obtaining/renewing/expiring a lease, which add or > remove firewall rules as appropriate. Unfortunately, I've never done > DHCP hooks, and I have no idea on how exactly to provide those. > (Maybe it's as simple as putting something similar to /sbin/dhclient-script > into /etc/dhclient-exit-hooks?) > > G'luck, > Peter > > -- > Nostalgia ain't what it used to be. > > > On Tue, Aug 21, 2001 at 11:53:43AM +0200, Lasse Osterberg wrote: > > > Hi All, > > > > > > Is there anyway at system startup and/or via a cron job to pass my DHCP > > > ipaddress from my external interface to rc.firewall? > > > So my firewall rules still work if my external DHCP lease gets a new > > > ipaddress. -- Bart Matthaei | bart@xs4nobody.nl | +31 6 24907042 ------------------------------------------------- /* It's always funny until someone gets hurt.. * (and then it's just hilarious) */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message