From owner-freebsd-net Thu Sep 19 11:14: 7 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1A3037B401; Thu, 19 Sep 2002 11:14:05 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0676B43E6A; Thu, 19 Sep 2002 11:14:05 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020919181404.LXDJ14978.sccrmhc01.attbi.com@blossom.cjclark.org>; Thu, 19 Sep 2002 18:14:04 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g8JIE3Wn018929; Thu, 19 Sep 2002 11:14:03 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g8JIE1KU018928; Thu, 19 Sep 2002 11:14:01 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 19 Sep 2002 11:14:01 -0700 From: "Crist J. Clark" To: Adrian Penisoara Cc: freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: Desired feature: ipfw pass for routed IPs Message-ID: <20020919181401.GA18752@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Sep 19, 2002 at 11:07:07AM +0300, Adrian Penisoara wrote: > Hi, > > When building anti-spoofing firewall rules on a routing server it > would be very helpfull to have a way to tell ipfw (or other firewalling > mechanisms) to pass all pachets that the source or destination IP has a > valid (static/daemon) routing entry in the kernel. > > Something maybe like: > > ipfw add allow ip from any to any routed static via xl0 > ipfw add deny ip from any to any via xl0 > > The 'routed' keyword should accept route associated flags (like those > listed in route(8)). That would be a desired feature too, because some > routing daemons mark their routes in a different way (for example Zebra > brings up the RTF_PROTO1 flag on its routes). > > It's been said that iproute2 in the recent Linux kernels alreay > support this, but I haven't checked out closely. > > How hard would that be to implement ? On input packets, it'd be painful and not really practical. On output packets, it shouldn't be _too_ bad since the routing information would be available. I'm not quite sure I understand why it would be needed. If there isn't a route to send a packet out of an interface, it won't go out of the interface. Under what conditions would you see yourself blocking packets? Is this really an ackbassward way to filter routes from routing daemons? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message