Date: Wed, 3 Feb 1999 09:29:19 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Eivind Eklund <eivind@FreeBSD.ORG> Cc: Michael Richards <026809r@dragon.acadiau.ca>, "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, security@FreeBSD.ORG Subject: Re: tcpdump Message-ID: <Pine.BSF.3.96.990203092622.27795B-100000@fledge.watson.org> In-Reply-To: <19990203132321.K8749@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 3 Feb 1999, Eivind Eklund wrote: > On Wed, Feb 03, 1999 at 12:48:34AM -0500, Robert Watson wrote: > > On Wed, 3 Feb 1999, Michael Richards wrote: > > > > > On Tue, 2 Feb 1999, Jordan K. Hubbard wrote: > > > > > > > OK, time to raise this topic again. What to people think about > > > > enabling bpfilter by default in GENERIC? > > > > > > I would think that the majority of us do not use the bpfilter by default. > > > My personal opinion (whether correct or not) is that it is more secure > > > this way. Many kiddiez have scripts to automate tcpdumping for passwords > > > and other such nasties and having to compile a bpf module and load it is > > > beyond many people. (I admit I'd have to go find some instructions) > > > > Security by obscurity in that form works only until the first > > script-author writes script-kiddie-script-#20 which automates the process. > > And it's not such a complicated task that some bored hacker won't write it > > into tomorrow's rootkit. > > This is not correct. Having BPF support in the kernel also add code > to the drivers to support it. It is not possible to compile up as a > module without also replacing the drivers. > > Don't take this as me being against 'pseudo-device bpfilter' in > GENERIC; I'm agnostic on that issue. Alright then--assuming netgraph arrives in -CURRENT somday, then this would be feasible. In the mean time, they load up an lkm/kld that remaps the code page containing the ip_input and ip_output routines as writable, then replaces some of the machine code with jumps to the lkm/kld versions of the same routines; these routines effectively are bpfilter-esque. This is the nice thing about programmable computers... :) Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990203092622.27795B-100000>