On 9/23/14, 2:01 AM, Andrey V. Elsukov wrote:
On 21.09.2014 09:58, Hiroki Sato wrote:
Hi,
I would like your comments about the attached patch to /etc/rc.
The problem I want to fix by this patch is as follows.
net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
kernel module is loaded or statically compiled into a kernel. And by
default IPFW has only a "deny ip from any to any" rule if it is
compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case,
the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
working as described in the patch.
To fix this, the patch turns IPFW off before running rc.d scripts at
boot time, and enables it again in rc.d/ipfw script.
Hi,
I think this should be configurable, the change can be an unexpected for
someone.
it does open a window where there is networking but no firewalling.
given that a reboot is remotely detectable. (ping stops responding etc.)
there is a possibility that a targeted attack could include
"use exploit ABC to cause a crash of the target and then strike with
exploit XYZ after target system reboots while the firewall is disabled".
I have not evaluated the danger of this window.
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"