Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 20 Jan 2001 15:07:12 -0800
From:      Kris Kennaway <kris@FreeBSD.ORG>
To:        "Nickolay A. Kritsky" <nkritsky@internethelp.ru>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Strange ipfw behavior
Message-ID:  <20010120150712.B53292@citusc17.usc.edu>
In-Reply-To: <000b01c082e0$0b32d5e0$0600a8c0@ibmka.internethelp.ru>; from nkritsky@internethelp.ru on Sat, Jan 20, 2001 at 03:53:53PM %2B0300
References:  <000b01c082e0$0b32d5e0$0600a8c0@ibmka.internethelp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

--VrqPEDrXMn8OVzN4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 20, 2001 at 03:53:53PM +0300, Nickolay A. Kritsky wrote:
> Hi all.
> i am running FreeBSD box with ipfw and natd.
> can you help me explaining some strange behavior of ipfw:
>=20
> box# ipfw show
> <skip>
> 2600    13    728    deny log ip from any to any
> 65535    75    23790    deny ip from any to any

Do an ipfw -at show and I bet those packets arrived right after the
system booted. There is a race condition between the network being
brought up and the firewall rules being loaded, which means that a few
packets (in your case, 75) can make it into the box before the rules
are loaded.

This is why a default to deny policy is essential, otherwise during
that brief window your firewall would be passing packets in every
direction unrestricted, and may allow an attacker to do stuff (if they
could trigger a reboot of your firewall, they have quite a long time
to play with your internal network).

Kris

--=20
NOTE: To fetch an updated copy of my GPG key which has not expired,
finger kris@FreeBSD.org

--VrqPEDrXMn8OVzN4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6ahogWry0BWjoQKURAptFAJ90LBoJ83ZdzhfLoivQ6pqRot0ZbgCeO2n1
jPF6IWuYXN76ebQRjr7pdRM=
=0Wq1
-----END PGP SIGNATURE-----

--VrqPEDrXMn8OVzN4--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010120150712.B53292>