Date: Wed, 14 Jun 2000 17:11:30 +0200 From: Gabor Zahemszky <ZGabor@CoDe.hu> To: freebsd-security@freebsd.org Subject: Re: rc.network firewall init Message-ID: <20000614171130.E471@zg.CoDe.hu> In-Reply-To: <Pine.BSF.4.21.0006131512000.76423-100000@ouch.Oof.NET>; from freebsd-contact@research.poc.net on Tue, Jun 13, 2000 at 03:26:45PM -0400 References: <Pine.BSF.4.21.0006131512000.76423-100000@ouch.Oof.NET>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 13, 2000 at 03:26:45PM -0400, freebsd-contact@research.poc.net wrote:
> I've noticed that FreeBSD 4.0's /etc/rc.network brings up network
> interfaces before initializing firewall behavior.
>
> In the case of IPFIREWALL, when not compiled into the kernel, this causes
> a short window of 'exposure' during startup. In the time between network
> connectivity being established, and the IPFIREWALL KLD being loaded, all
> interfaces are up and unfiltered. (An almost identical problem exists
> even when IPFIREWALL *is* compiled into the kernel, but the kernel option
> IPFIREWALL_DEFAULT_TO_ACCEPT is specified.)
>
> One successful TCP handshake during this window can establish a connection
> that survives the firewall loading, due to IPFIREWALL's non-statefulness
1) Well, in 4.x ipfw _is_ statefull, but as a new feature, maybe not so
many people use it.
2) This problem exists, if somebody is using the other firewall, ipf,
as it's default actions are pass (yes, we can change it with that
non-documented option)
options IPFILTER_DEFAULT_BLOCK #kernel ipfilter default block
Conclusion: don't use a KLD firewall! (or maybe somebody will restructure
out rc.network script, and put that changes, which will make it easier
to use ipf instead of ipfw.)
ZGabor at CoDe dot HU
--
#!/bin/ksh
Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000614171130.E471>