tech-security: Re: pf doesn't start normally anymore

Subject: Re: pf doesn't start normally anymore
To: Peter Postma <peter@pointless.nl>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 08/11/2005 14:41:32

In message <20050811172859.GA25777@gateway.pointless.nl>, Peter Postma writes:
>On Thu, Aug 11, 2005 at 07:12:43PM +0200, Lubomir Sedlacik wrote:
>> On Thu, Aug 11, 2005 at 07:07:10PM +0200, Peter Postma wrote:
>> > So, we should start pf after the network is up, then everything should
>> > be fine. Please try the attached patch.
>> 
>> that's fundamentally wrong approach, though.  starting packet filter
>> after the network is up leaves window for possible attacks from the
>> network.
>> 
>
>Which is perhaps ~ 1 or 2 seconds and even then there are no networked
>daemons up. I think this is a bit exaggerated to take into account.
>

Depending on the machine and its security policy, that still may be a 
problem.  Is it a firewall that's controlling access to an inside net?  
Is forwarding already on?

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb