Date: Tue, 6 May 1997 10:38:59 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: archie@whistle.com (Archie Cobbs) Cc: nnd@info.itfs.nsk.su, current@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: divert still broken? Message-ID: <199705060040.RAA01598@hub.freebsd.org> In-Reply-To: <199705051812.LAA05845@bubba.whistle.com> from "Archie Cobbs" at May 5, 97 11:12:33 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Archie Cobbs, sie said: > > - Allow rules to have the form: > > 1000 deny ip from any to any in via ed0 out via ed1 > > so you can filter routed packets by both incoming AND outgoing > interface. can you do this such that the route is only looked up once ? Can you be sure that the routing table won't change between the two lookups if you can't do it with one (es. on SMP systems) ? You could possibly solve this by only enabling this sort of filter on the outbound side of ed1. > - When a reject rule applies to an incoming TCP packet, send > the appropriate TCP response packet (ie., RST) instead of an > ICMP port unreachable. I think you want to make this user configurable and perhaps on a per-rule basis. This is otherwise a rather major change in the behaviour of ipfw and users may not agree with it (and they don't necessarily subscribe to any freebsd mailling list either).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705060040.RAA01598>