Date: Wed, 21 Mar 2001 22:34:10 +0000 From: Paul Richards <paul@freebsd-services.co.uk> To: Patrick Bihan-Faou <patrick@netzuno.com> Cc: cvs-all@freebsd.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <3AB92C62.45F0D213@freebsd-services.co.uk> References: <HJEEKLMFLKEOKHOKNPBMEECLCMAA.patrick@netzuno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick Bihan-Faou wrote: > > The reason why having them near the end is properly more usefull, is because > in a normal setup you may want to have other things done before the "allow > tcp from any to me 22" that I need to ensure I don't loose access to the > box. These things include nat, various anti-spoof rules etc. They should be > done before, the new default rule should be used only when everything else > is in limbo. That's not very safe. Since the rules are matched from low numbers to high then if you put your "safety" rule at the end it might never get matched. That's particularly a danger if you're doing NAT. Say using your suggestion we had the following safety rule (only part of a complete ruleset) 65534 add allow ip from office_host to remote_host 22 When you flush you end up with your safety rule of 65534 and you're still connected. So now you load your new rules, but you've made a mistake so your rules are, 1000 divert 8668 ip from any to any via if0 2000 add ip form any to 10.0.0.0/8 At that point the reload will bomb out because of a syntax error but you've already started diverting everything through NAT, so now your screwed because your SSH connection is cut off. That's why the protected rules have to be at the bottom, you have to ensure that your safety net is in place at all times and that everything else is built on top of it. Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB92C62.45F0D213>