Date: Tue, 3 Apr 2007 18:40:54 +0300 From: Mike Makonnen <mtm@FreeBSD.Org> To: AT Matik <asstec@matik.com.br> Cc: jonw@whoweb.com, freebsd-ipfw@freebsd.org Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $fire wall_script not read it Message-ID: <20070403154054.GA1468@rogue.navcom.lan> In-Reply-To: <200704030804.31819.asstec@matik.com.br> References: <200704021540.l32FerX8074400@freefall.freebsd.org> <200704021302 .52345.asstec@matik.com.br> <20070403100324.GA1710@rogue.navcom.lan> <20070 4030804.31819.asstec@matik.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 03, 2007 at 08:04:31AM -0300, AT Matik wrote: > I see your point > but first tell me, how do you know that the rules are *successfully* loaded? > Sorry, I wrote that email from memory and thought that was how it operated. However, what it does is output a warning if the last rule is to deny all packets (btw, is that correct? I thought ipfw operated on a "first-match" basis, so there could be rules before that one to allow certain packets. The more I look at it, the more bogus it looks to me, but I'm not an ipfw user so... <shrug>). Anyways, I believe your original comment had to do with enabling the firewall in a precmd() subroutine. I suppose in the end it comes down to personal preference. It just seems "more correct" to me that the rules are loaded first and then the firewall is turned on, but I can see how someone else might disagree. I just thought of something else as well: Enabling the firewall and then loading the rules may introduce a brief window of vulnerablity where the firewall is enabled (default to allow) but no rules are loaded. Off course, enabling the firewall regardless of the outcome of the firewall script would probably introduce a much bigger window of vulnerability :-). In any case, since I'm not a regular ipfw user I don't feel comfortable making any more changes that might have unintended consequences. I'll leave it to someone more familiar with ipfw to comment on and commit any further changes. Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mmakonnen @ gmail.com | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 mtm @ FreeBSD.Org | FreeBSD - http://www.freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070403154054.GA1468>