From nobody@FreeBSD.org  Sat Feb 24 10:33:14 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id DEE3637B491
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Feb 2001 10:33:13 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.1/8.11.1) id f1OIXDu56528;
	Sat, 24 Feb 2001 10:33:13 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200102241833.f1OIXDu56528@freefall.freebsd.org>
Date: Sat, 24 Feb 2001 10:33:13 -0800 (PST)
From: mvh@ix.netcom.com
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter and ppp insecure in 4.2-Stable
X-Send-Pr-Version: www-1.0

>Number:         25344
>Category:       kern
>Synopsis:       ipfilter and ppp insecure in 4.2-Stable
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 24 10:40:03 PST 2001
>Closed-Date:    Wed Jan 9 10:11:14 PST 2002
>Last-Modified:  Wed Jan 09 10:12:43 PST 2002
>Originator:     Mike Harding
>Release:        4.2-Stable
>Organization:
Namesafe
>Environment:
FreeBSD netcom1.netcom.com 4.2-STABLE FreeBSD 4.2-STABLE #1: Sat Feb 24 08:49:08 PST 2001     mvh@netcom1.netcom.com:/usr/obj/usr/src/sys/MIKEIPF  i386

>Description:
Current /etc/rc.network file sets up ipfilter rules very early.  This
is good for static interfaces, but 'tun0' (ppp interface) does not
exist yet.  The rules apparently do not apply until you do a 'ipf -y'.
This means that PPP users with the current script may be running
completely open without a firewall if they are using the January 14
or later /etc/rc.network in current, or the current version that
it was merged from.
>How-To-Repeat:
Use ipfilter on a system with a ppp interface.  Reboot.  Do some
network stuff, notice that 'ipfstat -ioh' reports no rules matched.
Do a 'ipf -y' and do some more network stuff.  Note that the packets
are now being matched.
>Fix:
Do a 'ipf -y' at the end of /etc/rc.network, after all of the interfaces
are added, if ipfilter is enabled.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: keramida 
State-Changed-When: Wed Jan 9 09:54:57 PST 2002 
State-Changed-Why:  
The ipfilter code of rc.network was rewritten by Arjan de Vet, 
and was committed at revision 1.112 (by darrenr) and commented at 
revision 1.113 (by ru@freebsd.org). 

Are you still having the same problem? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25344 
State-Changed-From-To: feedback->closed 
State-Changed-By: keramida 
State-Changed-When: Wed Jan 9 10:11:14 PST 2002 
State-Changed-Why:  
Submitter says problem is fixed in 4.5-RC. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=25344 
>Unformatted:
