Date: Tue, 6 May 1997 10:38:59 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: archie@whistle.com (Archie Cobbs) Cc: nnd@info.itfs.nsk.su, current@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705060040.RAA01598@hub.freebsd.org> In-Reply-To: <199705051812.LAA05845@bubba.whistle.com> from "Archie Cobbs" at May 5, 97 11:12:33 am
index | next in thread | previous in thread | raw e-mail
In some mail from Archie Cobbs, sie said: > > - Allow rules to have the form: > > 1000 deny ip from any to any in via ed0 out via ed1 > > so you can filter routed packets by both incoming AND outgoing > interface. can you do this such that the route is only looked up once ? Can you be sure that the routing table won't change between the two lookups if you can't do it with one (es. on SMP systems) ? You could possibly solve this by only enabling this sort of filter on the outbound side of ed1. > - When a reject rule applies to an incoming TCP packet, send > the appropriate TCP response packet (ie., RST) instead of an > ICMP port unreachable. I think you want to make this user configurable and perhaps on a per-rule basis. This is otherwise a rather major change in the behaviour of ipfw and users may not agree with it (and they don't necessarily subscribe to any freebsd mailling list either).home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705060040.RAA01598>