Date: Fri, 15 Dec 1995 17:20:22 +0100 From: "Frank ten Wolde" <franky@pinewood.nl> To: Nate Williams <nate@rocky.sri.MT.net>, "Frank ten Wolde" <franky@pinewood.nl> Cc: hackers@freebsd.org Subject: Re: Order of rules in ip_fw chain Message-ID: <9512151720.ZM309@pwood1.pinewood.nl> In-Reply-To: Nate Williams <nate@rocky.sri.MT.net> "Re: Order of rules in ip_fw chain" (Dec 15, 9:11) References: <9512151302.ZM27077@pwood1.pinewood.nl> <199512151611.JAA16380@rocky.sri.MT.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 15, 9:11, Nate Williams wrote:
> Subject: Re: Order of rules in ip_fw chain
> >
> > 1) I would suggest adding the following lines of code in
> > .../sys/netinet/ip_fw.c, line 879:
> >
> > ifdef IPFIREWALL
> > int
> > ip_fw_ctl(stage, m)
> > int stage;
> > struct mbuf *m;
> > {
> >
> > if (securelevel >= 2) { NEW
> > return (EPERM); NEW
> > } NEW
>
> Just out of curiousity, how are you adding the lines to the firewall
> list *before* the machine goes multi-user? On my box, I can't simply
> because the networking code isn't (yet) up and running.
>
Apparently FreeBSD allows you to add the ip_fw chains *before* the
network interfaces are up. The above code is actually running on
our firewall (FreeBSD of course :-). In /etc/rc, just after the
local file systems have been mounted (line 81), I setup the ip_fw
chain, followed by a sysctl kern.securelevel to bump it to 2.
When you try to flush the chain (ipfw f f) you get:
ipfw: setsockopt failed.
This should become:
ipfw: setsockopt failed (operation not permitted).
or something similar.
> > 2) I noticed that the order in which the fw checks incoming packets is
> > *not* the same as the order in which the packet rules were added.
> > IMHO this should be fixed. I have not had the time (yet) to have
> > a look at the source myself, but will do so in the next few weeks.
>
> Ugen was supposed to be working on this a while back. I agree that
> something should be done. His work was going to allow 'priority' based
> rules, which I agree would be a good thing. Either that or allow the
> rules to be listed in the same order in the kernel as they are added.
> But, you'd need a way to modify the list in non-secure mode, so I think
> the priority based approach is probably more flexible.
>
Tell me more about 'priority' based rules, I don't grasp the basic idea
behind it (could be because it's Friday late-afternoon :-). Unless
'priority' based rules are a pretty neat idea, I would suggest to simply
apply the rules as they are added to the chain. Packet filter rules are
hard to understand/design, even without the OS altering the order of rules...
>
> Nate
-Frank
--
----------------------------------------------------------------------
F.W. ten Wolde (PA3FMT) Pinewood Automation B.V.
E-mail: franky@pinewood.nl Kluyverweg 2a
Phone: +31-15 2682543 2629 HT Delft
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9512151720.ZM309>