Date: Wed, 4 Nov 1998 20:29:56 -0500 (EST) From: Open Systems Networking <opsys@mail.webspan.net> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet sneaks by deny all rule? Message-ID: <Pine.BSF.4.02.9811042020540.683-100000@orion.webspan.net> In-Reply-To: <Pine.BSF.3.96.981104113649.29377C-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 4 Nov 1998, Robert Watson wrote:
> Chris,
>
> My guess it is a race condition. The packet arrived between when your
> network interface went up, and the ruleset was added. Because your
> default policy is deny, it worked fine. However, this does actually bring
> interesting risks to mind: as long as the rules are added in numeric
> order, and the default policy is deny, you should always get consistent
> (if overly draconian) policy during bootup. However, if you have your
> ipfw lines not in the rule order, then some allows might be installed in
> the list of rules *before* the denies that precede them. In this
> situation, the race condition would allow a packet in that should not have
> been allowed in. The whole effect is because the installation of ipfw
> rules is non-atomic.
>
> I wondered for a while about the same thing on some of my systems.
That is what is happening, as the machine comes up but before the ipfw
rules are loaded its receiving packets. Good thing the kernel has the deny
all rule in it in addition to my deny all rule or those packets would be
sneaking by. I'm assuming anyway that the default deny all policy is
catching ALL the packets that slip through BEFORE my rules have a chance
to load? Maybe a note should be added to the ipfw man page stating that if
you set the default policy to open in the kernel there is a small window
between when, rebooting your machine, and the time your ipfw rules load
that packets will get through?
I'm glad I noticed this now, and without having two deny all rules I never
would have. I'll have to think about this one.
Chris
--
"You both seem to be ignoring the fact that the networking market is
driven by so-called 'IT professionals' these days, most of whom can't
tell the difference between an ARP and a carp." --Wes Peters
===================================| Open Systems FreeBSD Consulting.
FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186
-----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134
FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net
http://www.freebsd.org | Consulting, Network Engineering, Security
===================================| http://open-systems.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02.9811042020540.683-100000>