From owner-freebsd-bugs  Sat Feb 24 10:40: 8 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 53A8837B65D
	for <freebsd-bugs@hub.freebsd.org>; Sat, 24 Feb 2001 10:40:03 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f1OIe3Q63021;
	Sat, 24 Feb 2001 10:40:03 -0800 (PST)
	(envelope-from gnats)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id DEE3637B491
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Feb 2001 10:33:13 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f1OIXDu56528;
	Sat, 24 Feb 2001 10:33:13 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200102241833.f1OIXDu56528@freefall.freebsd.org>
Date: Sat, 24 Feb 2001 10:33:13 -0800 (PST)
From: mvh@ix.netcom.com
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: kern/25344: ipfilter and ppp insecure in 4.2-Stable
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         25344
>Category:       kern
>Synopsis:       ipfilter and ppp insecure in 4.2-Stable
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 24 10:40:03 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Mike Harding
>Release:        4.2-Stable
>Organization:
Namesafe
>Environment:
FreeBSD netcom1.netcom.com 4.2-STABLE FreeBSD 4.2-STABLE #1: Sat Feb 24 08:49:08 PST 2001     mvh@netcom1.netcom.com:/usr/obj/usr/src/sys/MIKEIPF  i386

>Description:
Current /etc/rc.network file sets up ipfilter rules very early.  This
is good for static interfaces, but 'tun0' (ppp interface) does not
exist yet.  The rules apparently do not apply until you do a 'ipf -y'.
This means that PPP users with the current script may be running
completely open without a firewall if they are using the January 14
or later /etc/rc.network in current, or the current version that
it was merged from.
>How-To-Repeat:
Use ipfilter on a system with a ppp interface.  Reboot.  Do some
network stuff, notice that 'ipfstat -ioh' reports no rules matched.
Do a 'ipf -y' and do some more network stuff.  Note that the packets
are now being matched.
>Fix:
Do a 'ipf -y' at the end of /etc/rc.network, after all of the interfaces
are added, if ipfilter is enabled.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message