Regarding my comment on blocking a site with ipchains, I received
a message asking:
> Chip Rosenthal wrote:
>
> > (The problem with doing ipchains in rc.local is there is a
> > window of vulnerability after the network comes up. In this
> > situation, I don't think that's a big problem.)
>
> Please expand on that statement about the "window of vulnerability." Can you
> explain for the uninitiated?
Thought I'd copy the group on the response.
Networking is enabled fairly early in the boot process. This is
controlled by the order of scripts in /etc/rc.d/rc3.d. (Presuming
default runlevel == 3.) Just ls(1) that directory, and that's the
order in which things are done.
On my router (Red Hat 6.0), network initialization is done in
/etc/rc.d/rc3.d/S10network, which is the very first init script run.
rc.local is done by /etc/rc.d/rc3.d/S99local, which is the very last.
Thus, there is a window of vulnerability, possibly persisting for
several seconds, during which the network is exposed. This window
runs from the time at which networking is enabled (S10network) to
the time at which filtering is configured (S99local).
Now, if you are just using ipchains just to block some twit from your
host, that's no big deal. If, however, you are depending upon ipchains
to construct a packet filter that protects your network, you may be
creating unwanted exposure.
It's a subtle problem. Then again, timing race conditions always are.
You'd have to work very hard to exploit this, but it can be done, and
so someday somebody will.
My solution was to load my firewall filter within S10network, not
rc.local. The disadvantage to this is I had to hack system scripts,
which is best avoided whenever possible.
I modified S10network (actually /etc/rc.d/init.d/network) to load ipchains
after bringing up the loopback interface, but before enabling any of the
external interfaces. That ensures my filter is in place and running
before packets even start coming into the machine.
Here is my hack:
*** /etc/rc.d/init.d/network.orig Sat Aug 14 00:29:15 1999
--- /etc/rc.d/init.d/network Sat Aug 14 00:29:15 1999
***************
*** 76,95 ****
--- 76,99 ----
action "Bringing up interface lo" ./ifup ifcfg-lo
case "$IPX" in
yes|true)
/sbin/ipx_configure --auto_primary=$IPXAUTOPRIMARY \
--auto_interface=$IPXAUTOFRAME
/sbin/ipx_internal_net add $IPXINTERNALNETNUM $IPXINTERNALNODENUM
;;
esac
+ if [ -f ./firewall-rules ] ; then
+ action "Loading firewall ipchains" /bin/sh firewall-rules
+ fi
+
for i in $interfaces_boot; do
action "Bringing up interface $i" ./ifup $i boot
done
touch /var/lock/subsys/network
;;
stop)
for i in $interfaces_boot; do
action "Shutting down interface $i" ./ifdown $i boot
done
--
Chip Rosenthal * Unicom Systems Development http://www.unicom.com/
Has your mail server been spamproofed? http://mail-abuse.org/tsi/
Outlaw junk email * Support CAUCE http://www.cauce.org/
"Sure it's working, but couldn't you shine it up some?"
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
