From nobody@FreeBSD.org  Sun Jun 30 12:23:39 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7142237B401
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 30 Jun 2002 12:23:39 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0F78843E26
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 30 Jun 2002 12:23:39 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g5UJNcOT098983
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 30 Jun 2002 12:23:38 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g5UJNcQV098982;
	Sun, 30 Jun 2002 12:23:38 -0700 (PDT)
Message-Id: <200206301923.g5UJNcQV098982@www.freebsd.org>
Date: Sun, 30 Jun 2002 12:23:38 -0700 (PDT)
From: Peter <zyx@stv.sk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: firewall and network devices while booting
X-Send-Pr-Version: www-1.0

>Number:         40041
>Category:       misc
>Synopsis:       firewall and network devices while booting
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 30 12:30:01 PDT 2002
>Closed-Date:    Tue Jul 02 15:18:50 PDT 2002
>Last-Modified:  Tue Jul 02 15:18:50 PDT 2002
>Originator:     Peter
>Release:        FreeBSD 4.4-RELEASE
>Organization:
Mihalik
>Environment:
FreeBSD palma 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Tue Sep 18 11:57:08 PDT 2001 murray@builder.FreeBSD.org:/usr/src/sys/compile/GENERIC i386
>Description:
While booting system is first bringed up network interfaces an than are initialized firewall rules (ipfw). on booting machine you have initialized network interface and not initialized firewall for cca 1 second. in this short time system accepts all traffic from network. I testing this with ping... (ehm... sorry for my english :-)))
>How-To-Repeat:
      
>Fix:
      
>Release-Note:
>Audit-Trail:

From: Brooks Davis <brooks@one-eyed-alien.net>
To: Peter <zyx@stv.sk>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/40041: firewall and network devices while booting
Date: Sun, 30 Jun 2002 12:34:54 -0700

 On Sun, Jun 30, 2002 at 12:23:38PM -0700, Peter wrote:
 > 
 > While booting system is first bringed up network interfaces an than
 > are initialized firewall rules (ipfw). on booting machine you have
 > initialized network interface and not initialized firewall for cca 1
 > second. in this short time system accepts all traffic from network. I
 > testing this with ping...
 
 If you have "options IPFIREWALL_DEFAULT_TO_ACCEPT" in your kernel, this
 is what is supposed to happen.  Please verify that you don't have this
 option set.
 
 -- Brooks

From: Brooks Davis <brooks@one-eyed-alien.net>
To: "-=::(Zyx)::=-" <zyx@stv.sk>
Cc: Brooks Davis <brooks@one-eyed-alien.net>,
	freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/40041: firewall and network devices while booting
Date: Sun, 30 Jun 2002 20:24:57 -0700

 On Mon, Jul 01, 2002 at 01:23:03AM +0200, -=::(Zyx)::=- wrote:
 > I have default policy deny. But in case when interface is up and ipfw is 
 > loading system accepts all traffic..
 
 It doesn't matter what you ruleset does.  If you have
 IPFIREWALL_DEFAULT_TO_ACCEPT in you kernel you will accept packets
 before you configure your firewall.  If you don't want to do this, remove
 this option.  If you won't have this option in your kernel, and you are
 recieving packets before your rules are configured there's an issue,
 otherwise it's your problem.
 
 -- Brooks
State-Changed-From-To: open->closed 
State-Changed-By: brooks 
State-Changed-When: Tue Jul 2 15:18:13 PDT 2002 
State-Changed-Why:  
The firewall is functioning as advertised. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=40041 
>Unformatted:
