Subject: Re: pf doesn't start normally anymore
To: Peter Postma <email@example.com>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 08/11/2005 14:41:32
In message <20050811172859.GA25777@gateway.pointless.nl>, Peter Postma writes:
>On Thu, Aug 11, 2005 at 07:12:43PM +0200, Lubomir Sedlacik wrote:
>> On Thu, Aug 11, 2005 at 07:07:10PM +0200, Peter Postma wrote:
>> > So, we should start pf after the network is up, then everything should
>> > be fine. Please try the attached patch.
>> that's fundamentally wrong approach, though. starting packet filter
>> after the network is up leaves window for possible attacks from the
>Which is perhaps ~ 1 or 2 seconds and even then there are no networked
>daemons up. I think this is a bit exaggerated to take into account.
Depending on the machine and its security policy, that still may be a
problem. Is it a firewall that's controlling access to an inside net?
Is forwarding already on?
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb