Bug 25344

Summary: ipfilter and ppp insecure in 4.2-Stable
Product: Base System Reporter: mvh <mvh>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description mvh 2001-02-24 18:40:03 UTC 
Current /etc/rc.network file sets up ipfilter rules very early.  This
is good for static interfaces, but 'tun0' (ppp interface) does not
exist yet.  The rules apparently do not apply until you do a 'ipf -y'.
This means that PPP users with the current script may be running
completely open without a firewall if they are using the January 14
or later /etc/rc.network in current, or the current version that
it was merged from.

Fix: 

Do a 'ipf -y' at the end of /etc/rc.network, after all of the interfaces
are added, if ipfilter is enabled.
How-To-Repeat: Use ipfilter on a system with a ppp interface.  Reboot.  Do some
network stuff, notice that 'ipfstat -ioh' reports no rules matched.
Do a 'ipf -y' and do some more network stuff.  Note that the packets
are now being matched.
Comment 1 Giorgos Keramidas freebsd_committer freebsd_triage 2002-01-09 17:54:57 UTC 
State Changed
From-To: open->feedback

The ipfilter code of rc.network was rewritten by Arjan de Vet, 
and was committed at revision 1.112 (by darrenr) and commented at 
revision 1.113 (by ru@freebsd.org). 

Are you still having the same problem?
Comment 2 Giorgos Keramidas freebsd_committer freebsd_triage 2002-01-09 18:11:14 UTC 
State Changed
From-To: feedback->closed

Submitter says problem is fixed in 4.5-RC.