From owner-freebsd-security  Wed Aug  2 16:57:15 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id 46B8C37B880
	for <security@FreeBSD.ORG>; Wed,  2 Aug 2000 16:57:09 -0700 (PDT)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id JAA23890;
	Thu, 3 Aug 2000 09:57:02 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200008022357.JAA23890@cairo.anu.edu.au>
Subject: Re: Ip packet filtering with bridging on freebsd (fwd)
In-Reply-To: <20000802172127.E58109@jade.chc-chimes.com> from Bill Fumerola at "Aug 2, 0 05:21:27 pm"
To: billf@chimesnet.com (Bill Fumerola)
Date: Thu, 3 Aug 2000 09:57:01 +1000 (EST)
Cc: security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL39 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Bill Fumerola, sie said:
> On Wed, Aug 02, 2000 at 12:36:30PM +1000, Darren Reed wrote:
> 
> > It's also not my balliwhack (that section of the code) so I'm not eager
> > to step on someone else's toes...
> 
> Code that compiles doesn't seem to be your balliwhack either. I'm actually
> rather suprised that someone didn't just backout your recent batch entirely.

Sorta - it's my responsibility to make sure it works when committed.

> Bill Fumerola - Network Architect, BOFH / Chimes, Inc.

I guess this email ranting is you being the "B" in the "BOFH"...

> PS. maybe it's not even the kernels job to make sanity checks before handing
> off to the ipfw/ipfilter. What if ipfw/ipfilter wants to look at the original
> packet?

This is another problem and people are trying to solve too many problems
with the same code line then.  IP Filter (and maybe ipfw) is built to do
packet filtering for IP packets, *NOT* ethernet packets.  Small but
significant difference.  As such, when doing IP filtering it isunreasonable
to expect (or assume) that any fields from the link layer protocol will
be present.

If you want to do filtering on layer 2 packets/information then I'd recommend
implementing something using BPF.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message