Date: Mon, 21 May 2001 04:10:05 -0700 (PDT) From: Brian Somers <brian@Awfulhak.org> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/27474: Interactive use of user PPP and ipfilter can be insecure Message-ID: <200105211110.f4LBA5h02514@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/27474; it has been noted by GNATS. From: Brian Somers <brian@Awfulhak.org> To: jsnader@ix.netcom.com Cc: freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: kern/27474: Interactive use of user PPP and ipfilter can be insecure Date: Mon, 21 May 2001 12:00:27 +0100 > >Number: 27474 > >Category: kern > >Synopsis: Interactive use of user PPP and ipfilter can be insecure I think that users of ppp with any sort of ipf or ipfw stuff should be very careful if they're not running with a ``-unit N'' command line as the only way to get things right is to install the rules from either ppp.conf or ppp.linkup using the INTERFACE macro (which of course requires root invocation as ppp invokes commands as the real user for security reasons). For people running ``ppp -unit 100 ...'' (for example), the best way to get things to work is to ensure that the interface is made available before ipf/ipfw are run with something like kldload tun touch /dev/tun100 This can probably be done from /etc/start_if.tun100 after adding tun100 to the $network_interfaces variable in rc.conf - but I'm not 100% sure the startup ordering will let this work. The alternative with ipfw (given that everyone side-steps /etc/rc.firewall) is to just invoke these commands at the start of your ipfw load script. I don't know about ipf (I've never used it). Of course I'll never really understand why users of ppp(8) don't just use the -nat option or the ``set filter'' commands and do away with ipf/ipfw.... I guess ipfw gives more flexibility, but I'm not sure that ipf has anything that libalias doesn't. -- Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org> <http://www.Awfulhak.org> <brian@[uk.]OpenBSD.org> Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105211110.f4LBA5h02514>