Date: Tue, 13 Jun 2000 15:26:45 -0400 (EDT) From: <freebsd-contact@research.poc.net> To: freebsd-security@freebsd.org Subject: rc.network firewall init Message-ID: <Pine.BSF.4.21.0006131512000.76423-100000@ouch.Oof.NET>
next in thread | raw e-mail | index | archive | help
I've noticed that FreeBSD 4.0's /etc/rc.network brings up network interfaces before initializing firewall behavior. In the case of IPFIREWALL, when not compiled into the kernel, this causes a short window of 'exposure' during startup. In the time between network connectivity being established, and the IPFIREWALL KLD being loaded, all interfaces are up and unfiltered. (An almost identical problem exists even when IPFIREWALL *is* compiled into the kernel, but the kernel option IPFIREWALL_DEFAULT_TO_ACCEPT is specified.) One successful TCP handshake during this window can establish a connection that survives the firewall loading, due to IPFIREWALL's non-statefulness and the (resultant) commonality of "allow tcp from any to any established". --Anatole Shaw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0006131512000.76423-100000>