rc.order wrong (ipfw)
Mark Andrews
Mark_Andrews at isc.org
Sat Mar 17 06:59:06 UTC 2007
> On Fri, Mar 16, 2007 at 08:33:01PM -0300, JoaoBR wrote:
> > On Friday 16 March 2007 18:50, Jeremy Chadwick wrote:
> > > Okay, imagine this order:
> > >
> > > 1) Kernel starts
> > > 2) Network driver is loaded
> > > 3) Link is brought up
> > > 4) Interface is configured for IP (manually or via DHCP)
> > > 5) Firewall rules (ipfw or pf) are applied
> > >
> > > Do you realise that between steps #4 and steps #5 there is a small
> > > window of time where someone may be able to send packets to your machine
> > > and get responses which would normally be blocked by ipfw/pf?
> >
> > nono that is not exactly how it works
> >
> > unless you change ipfw's default behaviour which is deny all from any to an
> y,
> > nothing goes to this machine because by default everything is blocked until
>
> > you permit it
>
> You're absolutely correct, however your original post seems to have
> taken many of us by surprise, causing some of us (at least me!) to
> assume that you've changed the default method to allow. I'm obviously
> misunderstanding, so I apologise for that, but I hope you can see the
> reasoning behind my comments with what I knew at the time. :)
ipfw needs to be before networking or router discovery
fails for IPv6.
http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/108589
> --
> | Jeremy Chadwick jdc at parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the freebsd-stable
mailing list