Date: Thu, 5 Nov 1998 06:24:43 -0500 (EST) From: Open Systems Networking <opsys@mail.webspan.net> To: Andrew McNaughton <andrew@squiz.co.nz> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Amazing wonder packet Part 2. Message-ID: <Pine.BSF.4.02.9811050614460.26130-100000@orion.webspan.net> In-Reply-To: <Pine.BSF.4.01.9811052345450.17028-100000@aniwa.sky>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Nov 1998, Andrew McNaughton wrote:
>
>
> There was an earlier post that covered this which I think you haven't read
> or haven't understood.
>
> Assuming that the default policy is to deny all and assuming that rules
> are added in numerical order, the result of any rule being missing can
> only be to deny the packet, which should be safe for most purposes.
>
> In most cases there's no problem for your solution.
No my solution is solved as robert said by just having the default policy
to deny all, and having my rules numerically ordered as they are now.
The point of my post was a solution I was mailed that implemented what
robert said in the last part to have rule one deny everything and then
remove it when the rules have loaded. This is a fix for those with a
policy of default to open in the kernel. My solution is fine since I have
deny all as my default policy and a deny all as my last rule. Which should
guarantee that my policies are carried out and that nothing sneaks by.
I was merely asking if this persons solution is what robert was thinking
for those that have a default policy of open. And if it was implemented
right. Because most people are not aware of this race condition at all.
And I plan on adding this fix to my pages for those who have a default
policy to open. So they get the same warm fuzzy feeling as I do with a
closed default policy. I just wanted to make sure that the fix I just
posted was what robert was talking about and to make sure the
solution I posted was on par with what robert said. Thats all.
I'm pretty sure it is, but wanted to double check.
Chris
--
"You both seem to be ignoring the fact that the networking market is
driven by so-called 'IT professionals' these days, most of whom can't
tell the difference between an ARP and a carp." --Wes Peters
===================================| Open Systems FreeBSD Consulting.
FreeBSD 3.0 is available now! | Phone: (402)573-9124 / ICQ # 20016186
-----------------------------------| 3335 N. 103 Plaza, Omaha, NE 68134
FreeBSD: The power to serve! | E-Mail: opsys@open-systems.net
http://www.freebsd.org | Consulting, Network Engineering, Security
===================================| http://open-systems.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02.9811050614460.26130-100000>