Date: Mon, 4 Aug 1997 09:58:14 +0300 From: Ari Suutari <ari.suutari@ps.carel.fi> To: "'Julian Elischer'" <julian@whistle.com>, Archie Cobbs <archie@whistle.com> Cc: "owensc@enc.edu" <owensc@enc.edu>, "freebsd-hackers@FreeBSD.ORG" <freebsd-hackers@FreeBSD.ORG> Subject: RE: IPFW-DIVERT change. WAS:[ipfw rules processing order..] Message-ID: <01BCA0BC.ED773680@ari.suutari@ps.carel.fi>
next in thread | raw e-mail | index | archive | help
On 11. heinakuuta 1997 3:14, Julian Elischer [SMTP:julian@whistle.com] wrote: > > instead of the divert port number > (the process knows thin information anyway), the rule number from > which the diversion occured. Also, on sendto() the port number > could represent the rule number to restart processing from. > in other words, if the number was 1000, processing would begin at 1001. > > this would allow a divert process to leave the same number there > that it received, and to avoid loops in that way because the process > ing would start at the NEXT rule. > > present programs probably just copy this number across, so > I guess it would be a transparent change to most of them. > > does it leave us open to security holes that were > blocked before? (see the reason archie gave above)? > is this a real threat? > can it be proven to (not be)/(be) a threat? > > I think this would be an easy change to make. > what do the USERS think (divert users). > Why not - at last natd won't mind, since it just copies the port number. However, change might cause problems with existing ipfw configurations if there are pass/deny rules before divert rules. Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BCA0BC.ED773680>