Re: [suse-security] SuSE personal Firewall 1.1-4 / ppp*
To find out which interfaces exist, it does
if [ "$iname" = "modem" ]; then RAIC="$RAIC `cd /proc/sys/net/ipv4/conf; echo ppp* `" else RAIC="$RAIC $iname" fi
...which results in the "ppp*" string if there is no interface named ppp* present. The script is written for very fast execution, and echo <pattern> is much faster than an ls <pattern>.
Hmm, am I missing something or could you just do something like R="`cd /proc/sys/net/ipv4/conf; echo ppp* `" test "$R" = "ppp*" && R="" RAIC="$RAIC $R" with the shell? A bit of string comparison is not exactly CPU-intensive and handled by the shell without external programs. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz Please do not CC list postings to me.
Hmm, am I missing something or could you just do something like
R="`cd /proc/sys/net/ipv4/conf; echo ppp* `" test "$R" = "ppp*" && R="" RAIC="$RAIC $R"
with the shell? A bit of string comparison is not exactly CPU-intensive and handled by the shell without external programs.
That's true. Compared to the run of ipchains or iptables afterwards, it's even extremely inexpensive. Roman.
* Roman Drahtmueller wrote on Thu, Apr 18, 2002 at 20:08 +0200:
R="`cd /proc/sys/net/ipv4/conf; echo ppp* `"
That's true. Compared to the run of ipchains or iptables afterwards, it's even extremely inexpensive.
But why not setting a rule on bootup with "ppp+"? Why the need to rewrite firewall rules if interfaces come up or go down? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Steffen Dettmer <steffen@dett.de> writes:
That's true. Compared to the run of ipchains or iptables afterwards, it's even extremely inexpensive.
But why not setting a rule on bootup with "ppp+"? Why the need to rewrite firewall rules if interfaces come up or go down?
The antispoofing rules, at least, need to be rewritten when the IP address changes. -- Alan Hadsell If brute force doesn't work, you aren't using enough.
* Alan Hadsell wrote on Fri, Apr 19, 2002 at 07:08 -0500:
Steffen Dettmer <steffen@dett.de> writes:
But why not setting a rule on bootup with "ppp+"? Why the need to rewrite firewall rules if interfaces come up or go down?
The antispoofing rules, at least, need to be rewritten when the IP address changes.
AFAIK "antispoofing" means to drop packets with source addresses which come from the wrong interface. At least in a common configuration (internal LANs with static addressing and a dialup/DSL/cable uplink) I don't see why the antispoofing rules should change when the local IP address changes. And let me repeat, if you don't trust your ISP, you don't know if you get the correct IP assigned, but if you do, you know that the ISP router will route the correct packets (destination based). Well, and since the source addresses are unaffected by your local IP, nothing changes. Usually you may get just *any* IP assigned, and by that you can filter with any as local IP. Since at the last time we had such a thread and nobody had a situation requiring rule rewriting (not counting very exotic setups), I still think there is no need for such rewrites in a clean configuration. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Alan Hadsell -
Roman Drahtmueller -
Steffen Dettmer -
V K