Date: Sun, 14 Apr 2002 18:04:47 +0800 From: Igor M Podlesny <poige@morning.ru> To: net@FreeBSD.ORG Cc: freebsd-isp@FreeBSD.ORG Subject: patch -- An ingress filter (RFC2827) Message-ID: <20020414180447.A93954@mars-gw.morning.ru>
next in thread | raw e-mail | index | archive | help
Hello! I'd like to know your opinion about this patch http://www.morning.ru/~poige/patchzone/ingressfiltering.patch which is mine attempt to implement an ingress filter being inspired by RFC2827 "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing". (http://www.ietf.org/rfc/rfc2827.txt) It should be mentioned IMHO that this code makes another one in ip_input.c a kind of redundant -- I mean code checking/blocking the 127/8 network "on wire". BTW, I suggest if not removing it completely then adding (sys)logging into, -- 127/8-spoofing certainly should be logged. :) Another thing to pay an attention to: I deem it'd be better if a such filter was built-in into ip_fw.c, allowing such syntax for ipfw(8): deny log ip from any to any in via fxp0 spoofed But AFAIS in ip_fw.h: #define IP_FW_F_IN 0x00000100 ... #define IP_FW_F_DME 0x40000000 /* destination = me */ #define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ and u_int32_t fw_flg; there is no free space for any additional flags... So, I was a bit unsure whether should I expand fw_flg to u_int64_t, and do any other extensions. For now I decided just to wrote something like a draft, test it (it seems to be working ;), and asking you, people, for your comments/ideas on it. P.S. A bit more info on this patch is at http://www.morning.ru/~poige/patchzone/ -- Igor M Podlesny a.k.a. Poige http://WwW.MorninG.RU/~poige To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020414180447.A93954>