Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 17 Mar 2007 17:58:45 +1100
From:      Mark Andrews <Mark_Andrews@isc.org>
To:        JoaoBR <joao@matik.com.br>, freebsd-stable@freebsd.org
Subject:   Re: rc.order wrong (ipfw) 
Message-ID:  <200703170658.l2H6wjTD098761@drugs.dv.isc.org>
In-Reply-To: Your message of "Fri, 16 Mar 2007 17:28:16 PDT." <20070317002816.GA40565@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On Fri, Mar 16, 2007 at 08:33:01PM -0300, JoaoBR wrote:
> > On Friday 16 March 2007 18:50, Jeremy Chadwick wrote:
> > > Okay, imagine this order:
> > >
> > > 1) Kernel starts
> > > 2) Network driver is loaded
> > > 3) Link is brought up
> > > 4) Interface is configured for IP (manually or via DHCP)
> > > 5) Firewall rules (ipfw or pf) are applied
> > >
> > > Do you realise that between steps #4 and steps #5 there is a small
> > > window of time where someone may be able to send packets to your machine
> > > and get responses which would normally be blocked by ipfw/pf?
> > 
> > nono that is not exactly how it works
> > 
> > unless you change ipfw's default behaviour which is deny all from any to an
> y, 
> > nothing goes to this machine because by default everything is blocked until
>  
> > you permit it
> 
> You're absolutely correct, however your original post seems to have
> taken many of us by surprise, causing some of us (at least me!) to
> assume that you've changed the default method to allow.  I'm obviously
> misunderstanding, so I apologise for that, but I hope you can see the
> reasoning behind my comments with what I knew at the time.  :)

	ipfw needs to be before networking or router discovery
	fails for IPv6.

	http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/108589
 
> -- 
> | Jeremy Chadwick                                    jdc at parodius.com |
> | Parodius Networking                           http://www.parodius.com/ |
> | UNIX Systems Administrator                      Mountain View, CA, USA |
> | Making life hard for others since 1977.                  PGP: 4BD6C0CB |
> 
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703170658.l2H6wjTD098761>