On Thu, Oct 19, 2006 at 01:41:35AM -0700, Darren Reed wrote: > The current ipfilter init script is meant to analyse /etc/resolve.conf > and automatically allow > DNS traffic, according to the set configuration. Where does the init > script go wrong in > allowing access in that manner?
ipfboot has:
========
...
block_default_workaround() {
ipf -F a
echo "constructing minimal name resolution rules..."
NAMESERVERS=`cat /etc/resolv.conf 2>/dev/null| \
nawk '/nameserver/ {printf "%s ", $2}' 2>/dev/null`
if [ -z "$NAMESERVERS" ] ; then
...
load_ipf_config() {
bad=0
if [ -r ${IPFILCONF} ]; then
checkpfil
if `ipf -V | \
nawk '$1 == "Default:" && $2 == "pass" { exit 1
}'` ; then
block_default_workaround
fi
========
hence it only does that when ipfilter is compiled with deny-by-default.
Note that following your comment regarding this having security impact,
I redid my rules to not require DNS, so I have a workaround. It might be
a good idea, if the script or boot order isn't changed, to at least have
a note somewhere so others don't trip up on the same issue.
Thanks
signature.asc
Description: Digital signature
