Date: Tue, 15 Apr 1997 09:27:59 +1000 (EST) From: Darren Reed <darrenr@cyber.com.au> To: jgreco@solaria.sol.net (Joe Greco) Cc: ipfilter@postbox.anu.edu.au, isp@freebsd.org Subject: Re: IP Filter ... Message-ID: <199704142328.JAA03036@plum.cyber.com.au> In-Reply-To: <199704141935.OAA07048@solaria.sol.net> from "Joe Greco" at Apr 14, 97 02:35:18 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail I received from Joe Greco, sie wrote [...] > My problem seems to revolve around my inability to either control the > order of processing within the chain, or what could be considered a > minor deficiency in the filter rules: a lack of negation. [...] > The first section, "bad address" rejection, can be handled in a mildly > roundabout way by using "quick" to always terminate rule processing as > soon as we detect something bad. > > The mess starts in the second section, with the second rule. (I am quite > aware that some of these rules overlap with previous rules.) > > I stop all packets leaving my network, but then on the next line(s) > I explicitly allow packets with a source address that originated on > my net to pass. No problem. > > Then I do the same thing for inbound destination addresses. I think that > I am still fine. > > However, now, think about what any local policy additions would do to > the state of a packet that would otherwise have been blocked. > > pass in on any port domain to any port domain > > as a somewhat useless example. If someone on the local ethernet were > spoofing DNS, this would short-circuit the previous determination that > the packet was illegitimate. (Yes, I know I could qualify the addresses > in that line, but that gets complex rather quickly in a nontrivial > configuration). "Spoof" which DNS ? I can't see that there is any option (here) to putting addresses in. > I think what I am really looking for is a rule that simply checks the > current state of the packet at a given point in the rule processing list > and if it is set a particular way, terminates rule processing. I don't quite get what you're saying here. > Or, maybe, better yet, some sort of "goto" conditional. I come from a > digital logic background and I can trivially translate a complex logic > equation of this sort into a decision tree, but one needs to have some > control... Can you illustrate how negation/goto would help you here ? Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704142328.JAA03036>