From owner-freebsd-security Wed Jun 14 8:16:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id A050D37C393 for ; Wed, 14 Jun 2000 08:16:15 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id RAA04897 for freebsd-security@freebsd.org; Wed, 14 Jun 2000 17:16:13 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.9.3/8.8.8) id RAA00623 for freebsd-security@freebsd.org; Wed, 14 Jun 2000 17:11:30 +0200 (CEST) (envelope-from zgabor) Date: Wed, 14 Jun 2000 17:11:30 +0200 From: Gabor Zahemszky To: freebsd-security@freebsd.org Subject: Re: rc.network firewall init Message-ID: <20000614171130.E471@zg.CoDe.hu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from freebsd-contact@research.poc.net on Tue, Jun 13, 2000 at 03:26:45PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Jun 13, 2000 at 03:26:45PM -0400, freebsd-contact@research.poc.net wrote: > I've noticed that FreeBSD 4.0's /etc/rc.network brings up network > interfaces before initializing firewall behavior. > > In the case of IPFIREWALL, when not compiled into the kernel, this causes > a short window of 'exposure' during startup. In the time between network > connectivity being established, and the IPFIREWALL KLD being loaded, all > interfaces are up and unfiltered. (An almost identical problem exists > even when IPFIREWALL *is* compiled into the kernel, but the kernel option > IPFIREWALL_DEFAULT_TO_ACCEPT is specified.) > > One successful TCP handshake during this window can establish a connection > that survives the firewall loading, due to IPFIREWALL's non-statefulness 1) Well, in 4.x ipfw _is_ statefull, but as a new feature, maybe not so many people use it. 2) This problem exists, if somebody is using the other firewall, ipf, as it's default actions are pass (yes, we can change it with that non-documented option) options IPFILTER_DEFAULT_BLOCK #kernel ipfilter default block Conclusion: don't use a KLD firewall! (or maybe somebody will restructure out rc.network script, and put that changes, which will make it easier to use ipf instead of ipfw.) ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message