Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 21 May 2001 04:10:05 -0700 (PDT)
From:      Brian Somers <brian@Awfulhak.org>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/27474: Interactive use of user PPP and ipfilter can be insecure 
Message-ID:  <200105211110.f4LBA5h02514@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

The following reply was made to PR kern/27474; it has been noted by GNATS.

From: Brian Somers <brian@Awfulhak.org>
To: jsnader@ix.netcom.com
Cc: freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org
Subject: Re: kern/27474: Interactive use of user PPP and ipfilter can be insecure 
Date: Mon, 21 May 2001 12:00:27 +0100

 > >Number:         27474
 > >Category:       kern
 > >Synopsis:       Interactive use of user PPP and ipfilter can be insecure
 
 I think that users of ppp with any sort of ipf or ipfw stuff should 
 be very careful if they're not running with a ``-unit N'' command 
 line as the only way to get things right is to install the rules from 
 either ppp.conf or ppp.linkup using the INTERFACE macro (which of 
 course requires root invocation as ppp invokes commands as the 
 real user for security reasons).
 
 For people running ``ppp -unit 100 ...'' (for example), the best way 
 to get things to work is to ensure that the interface is made 
 available before ipf/ipfw are run with something like
 
 kldload tun
 touch /dev/tun100
 
 This can probably be done from /etc/start_if.tun100 after adding 
 tun100 to the $network_interfaces variable in rc.conf - but I'm not 
 100% sure the startup ordering will let this work.  The alternative 
 with ipfw (given that everyone side-steps /etc/rc.firewall) is to 
 just invoke these commands at the start of your ipfw load script.  I 
 don't know about ipf (I've never used it).
 
 Of course I'll never really understand why users of ppp(8) don't just 
 use the -nat option or the ``set filter'' commands and do away with 
 ipf/ipfw....  I guess ipfw gives more flexibility, but I'm not sure 
 that ipf has anything that libalias doesn't.
 -- 
 Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
       <http://www.Awfulhak.org>;                   <brian@[uk.]OpenBSD.org>
 Don't _EVER_ lose your sense of humour !
 
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105211110.f4LBA5h02514>