Re: WARNING: Firewall package - security hole?
Bodo, I'm a little surprised by this. If my limited understanding is correct, then in the brief moments between ppp0 coming up and the "2" getting written to ppp0's rp_filter, during those moments the network is unprotected against spoofing, right? If I were to completely restart the firewall at that time then I'd be opening an even bigger hole, albeit still temporarily. Or, is there a way to frig the routing tables at that time in order to block off any outside access during the time between ppp0 setup and the subsequent firewall restart? I'm not sure whether this can be done without closing off the very connection request that brought ppp0 up in the first place - I'm using diald to bring the link up and down on demand, and I know diald and ppp do their own routiing table/interface configuration which I barely understand. BTW, I don't actually have a problem with the IP address as my ISP (Demon) has supported *nix users quite well since before the advent of the web...we all get static IP addresses ;o). So no dynamic substitution is required in my case. I can therefore keep the firewall up from boot time - it's just this rp_filter value that needs to be set for the ppp0 interface when it is created. Jon Pennington on suse-linux-e suggested that I should post this stuff to the suse-security list so I've subscribed and included them in the circulation list too. Once again, I'll be grateful for any constructive comments. Ralph Bodo Bauer wrote:
There is one more problem if you start up the firewall before the ppp device exists, you probably don't know the IP address of the interface.
The resolution is to start/stop the firewall in your dialup script. Also use the special value 'IP@ppp0' to specify the address of ppp0 like specified in my HOWTO:
Instead of specifying an IP address you also can use the special string IP@device. This will be replaced by the IP address the given networking device has at the moment the firewall script is started. It's in specially useful if you have a dialup connection where your IP address changes every time you connect to your ISP. If you use PPP dialup, you can specify your outgoing interface as ppp0 and put IP@ppp0 in the list of your local networks. In this case however it's important, that you start the firewall after you powered up the connection to your ISP. This means you don't want to start the firewall at boot time, as there is no internet connection at this moment. You rather start the firewall from the script you use to dial up to your ISP.
You find the HOWTO at -> http://skaro.nightcrawler.com/~bb/FW-HOWTO/FW-Howto.html
Ciao, BB
PS: I'm not on the SuSE list, so please reply to me personally if you have any further questions. -- Bodo Bauer bb@zenguin.com Zenguin, Inc. Simplicity in Linux Applications http://www.zenguin.com http://skaro.nightcrawler.com/~bb PGP available
-- rclark@virgosolutions.demon.co.uk Ralph Clark, Virgo Solutions Ltd (UK) __ _ / / (_)__ __ ____ __ * Powerful * Flexible * Compatible * Reliable * / /__/ / _ \/ // /\ \/ / *Well Supported * Thousands of New Users Every Day* /____/_/_//_/\_,_/ /_/\_\ The Cost Effective Choice - Linux Means Business!
participants (1)
-
Ralph Clark