summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2008-07-09 20:23:48 +0000
committerDamien Miller <djm@cvs.openbsd.org>2008-07-09 20:23:48 +0000
commit70ee4def459e032664a0e8e5138f543e43fc6447 (patch)
tree14e93777040dfb62229b87f9b27d2bcae9d001c7
parentbb1ced5a7ee17175c66e4f9d211dab567b948760 (diff)
automatically populate net.inet.(tcp|udp).baddynamic with the
contents of /etc/services so as to avoid randomly allocating source ports that correspond to well-known services. Auto-filling of the baddynamic tables is performed before reading sysctl.conf, so it is still possible to add or subtract ports, or override the autofilling entirely there. Note that this requires a new kernel and /sbin/sysctl. feedback markus@ ok markus@ deraadt@ millert@
-rw-r--r--etc/rc34
1 files changed, 33 insertions, 1 deletions
diff --git a/etc/rc b/etc/rc
index 68bac01b912..350a19a05b9 100644
--- a/etc/rc
+++ b/etc/rc
@@ -1,4 +1,4 @@
-# $OpenBSD: rc,v 1.317 2008/06/15 04:49:34 sturm Exp $
+# $OpenBSD: rc,v 1.318 2008/07/09 20:23:47 djm Exp $
# System startup script run by init on autoboot
# or after single-user.
@@ -116,6 +116,34 @@ random_seed()
fi
}
+fill_baddynamic()
+{
+ local _service="$1"
+ local _sysctl="net.inet.${_service}.baddynamic"
+ local _name _port _srv _junk _ban
+ local _i=0
+ grep "/${_service}" /etc/services | {
+ IFS=" /"
+ while read _name _port _srv _junk; do
+ [ "x${_srv}" = "x${_service}" ] || continue;
+ if [ "x${_ban}" = "x" ]; then
+ _ban="+${_port}"
+ else
+ _ban="${_ban},+${_port}"
+ fi
+ # Flush before argv gets too long
+ if [ $((++_i)) -gt 128 ]; then
+ sysctl ${_sysctl}=${_ban} >/dev/null
+ _ban=""
+ _i=0
+ fi
+ done;
+ if [ "x${_ban}" != "x" ]; then
+ sysctl ${_sysctl}=${_ban} >/dev/null
+ fi
+ }
+}
+
# End subroutines
stty status '^T'
@@ -253,6 +281,10 @@ if [ X"${pf}" != X"NO" ]; then
pfctl -e
fi
+# Fill net.inet.(tcp|udp).baddynamic lists from /etc/services
+fill_baddynamic udp
+fill_baddynamic tcp
+
sysctl_conf
# set hostname, turn on network