[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: sysv init start order for ipfilter on solaris 9
From: Rudolph Pereira <rudolph () usyd ! edu ! au>
Date: 2006-10-19 23:50:47
Message-ID: 20061019235047.GD17095 () usyd ! edu ! au
[Download RAW message or body]
On Thu, Oct 19, 2006 at 01:41:35AM -0700, Darren Reed wrote:
> The current ipfilter init script is meant to analyse /etc/resolve.conf
> and automatically allow
> DNS traffic, according to the set configuration. Where does the init
> script go wrong in
> allowing access in that manner?
ipfboot has:
========
...
block_default_workaround() {
ipf -F a
echo "constructing minimal name resolution rules..."
NAMESERVERS=`cat /etc/resolv.conf 2>/dev/null| \
nawk '/nameserver/ {printf "%s ", $2}' 2>/dev/null`
if [ -z "$NAMESERVERS" ] ; then
...
load_ipf_config() {
bad=0
if [ -r ${IPFILCONF} ]; then
checkpfil
if `ipf -V | \
nawk '$1 == "Default:" && $2 == "pass" { exit 1
}'` ; then
block_default_workaround
fi
========
hence it only does that when ipfilter is compiled with deny-by-default.
Note that following your comment regarding this having security impact,
I redid my rules to not require DNS, so I have a workaround. It might be
a good idea, if the script or boot order isn't changed, to at least have
a note somewhere so others don't trip up on the same issue.
Thanks
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic