Date: Sat, 24 Feb 2001 10:33:13 -0800 (PST) From: mvh@ix.netcom.com To: freebsd-gnats-submit@FreeBSD.org Subject: kern/25344: ipfilter and ppp insecure in 4.2-Stable Message-ID: <200102241833.f1OIXDu56528@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 25344 >Category: kern >Synopsis: ipfilter and ppp insecure in 4.2-Stable >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Feb 24 10:40:03 PST 2001 >Closed-Date: >Last-Modified: >Originator: Mike Harding >Release: 4.2-Stable >Organization: Namesafe >Environment: FreeBSD netcom1.netcom.com 4.2-STABLE FreeBSD 4.2-STABLE #1: Sat Feb 24 08:49:08 PST 2001 mvh@netcom1.netcom.com:/usr/obj/usr/src/sys/MIKEIPF i386 >Description: Current /etc/rc.network file sets up ipfilter rules very early. This is good for static interfaces, but 'tun0' (ppp interface) does not exist yet. The rules apparently do not apply until you do a 'ipf -y'. This means that PPP users with the current script may be running completely open without a firewall if they are using the January 14 or later /etc/rc.network in current, or the current version that it was merged from. >How-To-Repeat: Use ipfilter on a system with a ppp interface. Reboot. Do some network stuff, notice that 'ipfstat -ioh' reports no rules matched. Do a 'ipf -y' and do some more network stuff. Note that the packets are now being matched. >Fix: Do a 'ipf -y' at the end of /etc/rc.network, after all of the interfaces are added, if ipfilter is enabled. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102241833.f1OIXDu56528>