From owner-freebsd-security Wed Aug 19 05:34:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA02853 for freebsd-security-outgoing; Wed, 19 Aug 1998 05:34:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from bright.fx.genx.net (bright.fx.genx.net [206.64.4.154]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA02837; Wed, 19 Aug 1998 05:34:50 -0700 (PDT) (envelope-from bright@www.hotjobs.com) Received: from localhost (bright@localhost) by bright.fx.genx.net (8.9.1/8.8.8) with SMTP id IAA18986; Wed, 19 Aug 1998 08:35:05 -0500 (EST) (envelope-from bright@hotjobs.com) X-Authentication-Warning: bright.fx.genx.net: bright owned process doing -bs Date: Wed, 19 Aug 1998 08:35:05 -0500 (EST) From: Alfred Perlstein X-Sender: bright@bright.fx.genx.net To: Edwin Woudt cc: freebsd-security@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: Gateway/firewall denial of service In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org how about adding an option to ignore ARPs from certain IPs to ipfw? ala: ipfw add 10 deny arp from 192.168.0.0/16 to any via (outside interface) Alfred Perlstein - Programmer, HotJobs Inc. - www.hotjobs.com -- There are operating systems, and then there's BSD. -- http://www.freebsd.org/ On Wed, 19 Aug 1998, Edwin Woudt wrote: > I use a FreeBSD 2.2.7 machine as a gateway and firewall between a > local network and a campus-wide network. Accidentally I discovered a > way to change the routing table of the local network on the gateway > from the campus network. > > The problem is that de kernel accepts ARP broadcasts on one interface > of which the ip-adresses are on another interface and so making a > machine on the local network unreachable for the gateway. > > I tried to find the bug in the source code, but i'm not a C expert. I > hope somebody who is a better programmer would go trough the code and > find the bug. As the code I thought to be related looked very old, > this might be a problem in all versions of FreeBSD and even other BSD- > operating systems. ..... > Suggestion: Make it impossible to change a routing table entry on one > interface trough another infterface. > > > Edwin Woudt > > > > ===================================================================== > Edwin Woudt ("`-''-/").___..--''"`-._ Calslaan 7-109 > `6_ 6 ) `-. ( ).`-.__.`) 7522 MH Enschede > edwin@woudt.nl (_Y_.)' ._ ) `._ `. ``-..-' The Netherlands > _..`--'_..-_/ /--'_.' ,' > ICQ: 1156462 (il),-'' (li),' ((!.-' +31 53 489 5010 > ===================================================================== > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message