[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: sysv init start order for ipfilter on solaris 9
From:       Rudolph Pereira <rudolph () usyd ! edu ! au>
Date:       2006-10-19 23:50:47
Message-ID: 20061019235047.GD17095 () usyd ! edu ! au
[Download RAW message or body]


On Thu, Oct 19, 2006 at 01:41:35AM -0700, Darren Reed wrote:
> The current ipfilter init script is meant to analyse /etc/resolve.conf 
> and automatically allow
> DNS traffic, according to the set configuration.  Where does the init 
> script go wrong in
> allowing access in that manner?

ipfboot has:

========
...
block_default_workaround() {
        ipf -F a
        echo "constructing minimal name resolution rules..."
        NAMESERVERS=`cat /etc/resolv.conf  2>/dev/null| \
                     nawk '/nameserver/ {printf "%s ", $2}' 2>/dev/null`
        if [ -z "$NAMESERVERS" ] ; then

...
load_ipf_config() {
        bad=0
        if [ -r ${IPFILCONF} ]; then
                checkpfil
                if `ipf -V | \
                      nawk '$1 == "Default:" && $2 == "pass" { exit 1
}'` ; then
                        block_default_workaround
                fi

========

hence it only does that when ipfilter is compiled with deny-by-default. 

Note that following your comment regarding this having security impact,
I redid my rules to not require DNS, so I have a workaround. It might be
a good idea, if the script or boot order isn't changed, to at least have
a note somewhere so others don't trip up on the same issue.

Thanks

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]