From owner-freebsd-security  Mon Apr  8 11:15:19 2002
Delivered-To: freebsd-security@freebsd.org
Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80])
	by hub.freebsd.org (Postfix) with SMTP id 7E5DB37B429
	for <freebsd-security@FreeBSD.ORG>; Mon,  8 Apr 2002 11:14:25 -0700 (PDT)
Received: (qmail 9261 invoked by uid 1001); 8 Apr 2002 18:14:19 -0000
Message-ID: <20020408181419.9260.qmail@d188h80.mcb.uconn.edu>
References: <1074.192.168.1.2.1018254621.squirrel@probsd.ws>
In-Reply-To: <1074.192.168.1.2.1018254621.squirrel@probsd.ws> 
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: "Michael Sharp" <ms@probsd.ws>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Berkley Packet Filter
Date: Mon, 08 Apr 2002 18:14:19 GMT
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

disabling bpf only prevents someone from running a sniffer on
*your* box should they obtain a shell. I don't see how disabling
it prevents nmap from running syn/fin scans. 

Furthermore, if someone obtains root shell, they could just
load a kernel module to enable bpf-like capabilities. 

In addition, disabling bpf also breaks DHCP (and/or PPP?). If your host gets 
an IP via DHCP (e.g you are running dhclient(1)) you need to enable bpf. 

Michael Sharp writes: 

> It is my understanding that if you comment OUT the bpf line in the kernel
> and re-compile, this disables things like nmap and prevents a sniffer from
> running on the network * easily * correct? 
> 
> The reason I put * easily * in there is because I am aware of other ways to
> bypass bpf, but I believe disabling would defeat 99% of the script kiddies. 
> 
> Michael 
> 
>  
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
 


 -----------
Peter C. Lai
University of Connecticut
Dept. of Residential Life | Programmer
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/
860.427.4542 (Room)
860.486.1899 (Lab)
203.206.3784 (Cellphone) 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message