From owner-freebsd-stable@FreeBSD.ORG Fri Mar 16 21:50:49 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 69E0716A400 for ; Fri, 16 Mar 2007 21:50:49 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from sccrmhc15.comcast.net (sccrmhc15.comcast.net [63.240.77.85]) by mx1.freebsd.org (Postfix) with ESMTP id 310E313C46E for ; Fri, 16 Mar 2007 21:50:49 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from icarus.home.lan (c-71-198-0-135.hsd1.ca.comcast.net[71.198.0.135]) by comcast.net (sccrmhc15) with ESMTP id <20070316215048015001opaee>; Fri, 16 Mar 2007 21:50:48 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 730AF1FA03D; Fri, 16 Mar 2007 14:50:17 -0700 (PDT) Date: Fri, 16 Mar 2007 14:50:17 -0700 From: Jeremy Chadwick To: JoaoBR Message-ID: <20070316215017.GA38114@icarus.home.lan> Mail-Followup-To: JoaoBR , freebsd-stable@freebsd.org References: <200703161152.l2GBqR9q065684@lurza.secnetix.de> <200703160932.16080.joao@matik.com.br> <45FA9E5C.1060404@pp.nic.fi> <200703161800.30583.joao@matik.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200703161800.30583.joao@matik.com.br> X-PGP-Key: http://jdc.parodius.com/pubkey.asc User-Agent: Mutt/1.5.13 (2006-08-11) Cc: freebsd-stable@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2007 21:50:49 -0000 On Fri, Mar 16, 2007 at 06:00:30PM -0300, JoaoBR wrote: > man, starting ipfw after network does not mean that the network is not up Okay, imagine this order: 1) Kernel starts 2) Network driver is loaded 3) Link is brought up 4) Interface is configured for IP (manually or via DHCP) 5) Firewall rules (ipfw or pf) are applied Do you realise that between steps #4 and steps #5 there is a small window of time where someone may be able to send packets to your machine and get responses which would normally be blocked by ipfw/pf? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |