Firewall Wizards mailing list archives
Re: Use of single port aggregations to enhance security
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 8 Jan 2010 16:19:11 -0500
If you're using an operating system based firewall (Linux, BSD, Solaris),
then
depending on the order of the operating system enabling firewalls
capabilities vs
networking, there may be windows where packets are able to reach code
paths that they
weren't intended for because nic drivers start servicing packets quite
early. However, > nearly all of the above operating systems implement LACP in software. This means that > there's a "knob" that can be used on the firewall host to control whether or not the
switch sends stuff to the firewall, potentially allowing you to close that
window (if > it exists.) This might cause problems if you're doing some sort of out-of-band remote > console over that port O:-> Hi Darren, Using LACP is an interesting solution to a problem that, in most cases, already has a simple solution, which is to not enable IP forwarding on your firewall until rules are loaded. Using OpenBSD and pf as an example, you would set net.inet.ip.forwarding=0 in sysctl.conf, and then in rc.local run, in order, the scripts that call pfctl, ifconfig, and then finally sysctl net.inet.ip.forwarding=1 to begin forwarding packets.
I admit that caring about this might require a special level of paranoia
:) "The issue is not whether you are paranoid, it's whether you are paranoid enough." PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Use of single port aggregations to enhance security Darren Reed (Jan 07)
- Re: Use of single port aggregations to enhance security Paul Melson (Jan 08)
- Re: Use of single port aggregations to enhance security ArkanoiD (Jan 11)
- Re: Use of single port aggregations to enhance security david (Jan 12)