Date: Fri, 15 Dec 1995 13:02:16 +0100 From: "Frank ten Wolde" <franky@pinewood.nl> To: hackers@freebsd.org Subject: Order of rules in ip_fw chain Message-ID: <9512151302.ZM27077@pwood1.pinewood.nl>
next in thread | raw e-mail | index | archive | help
Hi,
I have three questions/suggestions for discussion on the implementation of
the ip firewall filter in FreeBSD 2.1.0. I would like to see who shares
my ideas or if there are sound reasons why *not* to modify the existing
implementation...
Here I go:
1) I would suggest adding the following lines of code in
.../sys/netinet/ip_fw.c, line 879:
ifdef IPFIREWALL
int
ip_fw_ctl(stage, m)
int stage;
struct mbuf *m;
{
if (securelevel >= 2) { NEW
return (EPERM); NEW
} NEW
if (stage == IP_FW_FLUSH) {
free_fw_chain(&ip_fw_chain);
return (0);
}
...
This would prevent any changes in the fw chain when running in
very secure level.
2) I noticed that the order in which the fw checks incoming packets is
*not* the same as the order in which the packet rules were added.
IMHO this should be fixed. I have not had the time (yet) to have
a look at the source myself, but will do so in the next few weeks.
3) I would suggest modifying ipfw.c to give some more informative
message if the setsockopt call fails. Now it only lists something
like "getsockopt failed", but it does not give you the reason.
A simple perror("") would do the trick I suppose. I will try and
have a look at the source code in the near future.
Any discussion welcome.
-Frank ten Wolde
--
----------------------------------------------------------------------
F.W. ten Wolde (PA3FMT) Pinewood Automation B.V.
E-mail: franky@pinewood.nl Kluyverweg 2a
Phone: +31-15 2682543 2629 HT Delft
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9512151302.ZM27077>