Date: Thu, 3 Aug 2000 09:57:01 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: billf@chimesnet.com (Bill Fumerola) Cc: security@FreeBSD.ORG Subject: Re: Ip packet filtering with bridging on freebsd (fwd) Message-ID: <200008022357.JAA23890@cairo.anu.edu.au> In-Reply-To: <20000802172127.E58109@jade.chc-chimes.com> from Bill Fumerola at "Aug 2, 0 05:21:27 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Bill Fumerola, sie said: > On Wed, Aug 02, 2000 at 12:36:30PM +1000, Darren Reed wrote: > > > It's also not my balliwhack (that section of the code) so I'm not eager > > to step on someone else's toes... > > Code that compiles doesn't seem to be your balliwhack either. I'm actually > rather suprised that someone didn't just backout your recent batch entirely. Sorta - it's my responsibility to make sure it works when committed. > Bill Fumerola - Network Architect, BOFH / Chimes, Inc. I guess this email ranting is you being the "B" in the "BOFH"... > PS. maybe it's not even the kernels job to make sanity checks before handing > off to the ipfw/ipfilter. What if ipfw/ipfilter wants to look at the original > packet? This is another problem and people are trying to solve too many problems with the same code line then. IP Filter (and maybe ipfw) is built to do packet filtering for IP packets, *NOT* ethernet packets. Small but significant difference. As such, when doing IP filtering it isunreasonable to expect (or assume) that any fields from the link layer protocol will be present. If you want to do filtering on layer 2 packets/information then I'd recommend implementing something using BPF. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008022357.JAA23890>