Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 26 Feb 1999 08:31:45 -0700
From:      Wes Peters <wes@softweyr.com>
To:        j.schripsema@kpn.com
Cc:        freebsd-net@FreeBSD.ORG, sch@kpn.com
Subject:   Re: TCP/IP stack question
Message-ID:  <36D6BE61.E64A2CEE@softweyr.com>
References:  <199902261347.OAA11430@sat-relay2.pc.telecom.ptt.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 

Jakob Schripsema wrote:
> 
> Hi,
> 
> Recently we ran into 2 TCP/IP-stack related problems with our
> 2.2.2-RELEASE based Firewall:
> 
> 1. An ARP related problem described in detail below
> 
> 2. A (minor) problem with IPFW and IP-fragmentation: we forgot to include
>    rules for IP-fragments.

You don't need rules for IP-fragments.  If you block the first frag, the
rest of the fragments will be dropped by the host.  Unless it has bugs,
which are a separate problem.  FreeBSD doesn't appear to.  ;^)

> These problems resulted in a number of arguments between FreeBSD lovers (me)
> and Linux lovers. (Comparable with the Z80 vs 6800 arguments from the old
> days ..). We have found 2 differences between the Linux stack and
> the 2.2.2 stack:
> 
> 1. Linux expects a per-interface arp cache, while 2.2.2. has a global
>    arp cache.

Neither is necessarily wrong.

> 2. Linux has the ability to do ip-reassembly before the firewall
>    code is used.

And the point of this would be?  IP packets aren't worms; if you cut
off the head, the rest of the packet dies.  ;^)

> This should work but the arp-request from MHH, packet 4, contains unexpected
> information:
> 
>         source hardware addres = mac3
>         source protocol address = ip2 (I expected ip3)

This is a bug in the Linux arp response code.  Get them to fix it.

>         destination hardawre addres = NULL
>         destination protocal addres = ip4
> 
> This packet forces the FW to change its arp-cache: the mac addres for ip2
> is set to mac3. This effectively blocks all traffic between PC end MHH

Replace Linux with FreeBSD?  Run whatever applications it's carrying
in compatiblity mode?  ;^)

-- 
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36D6BE61.E64A2CEE>