From owner-freebsd-hackers  Sun Aug  3 23:45:36 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id XAA17626
          for hackers-outgoing; Sun, 3 Aug 1997 23:45:36 -0700 (PDT)
Received: from lassie.eunet.fi (lassie.eunet.fi [192.26.119.7])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA17613
          for <freebsd-hackers@FreeBSD.ORG>; Sun, 3 Aug 1997 23:45:24 -0700 (PDT)
Received: from tahko.lpr.carel.fi ([192.46.69.100]) by lassie.eunet.fi (8.8.5/8.8.3) with ESMTP id JAA12192 for <freebsd-hackers@FreeBSD.ORG>; Mon, 4 Aug 1997 09:45:13 +0300 (EET DST)
Received: from mercury.ps.carel.fi by tahko.lpr.carel.fi with ESMTP
	(8.7.5/1.1) id JAA16433; Mon, 4 Aug 1997 09:40:02 +0300 (EET DST)
Received: from sodium (sodium.ps.carel.fi [194.137.216.111])
	by mercury.ps.carel.fi (8.8.5/8.8.5) with SMTP id JAA19276;
	Mon, 4 Aug 1997 09:39:29 +0300 (EET DST)
Received: by localhost with Microsoft MAPI; Mon, 4 Aug 1997 09:58:15 +0300
Message-ID: <01BCA0BC.ED773680@ari.suutari@ps.carel.fi>
From: Ari Suutari <ari.suutari@ps.carel.fi>
To: "'Julian Elischer'" <julian@whistle.com>,
        Archie Cobbs
	 <archie@whistle.com>
Cc: "owensc@enc.edu" <owensc@enc.edu>,
        "freebsd-hackers@FreeBSD.ORG"
	 <freebsd-hackers@FreeBSD.ORG>
Subject: RE: IPFW-DIVERT change. WAS:[ipfw rules processing order..]
Date: Mon, 4 Aug 1997 09:58:14 +0300
X-Mailer: Microsoft Internet E-mail/MAPI - 8.0.0.4025
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On 11. heinakuuta 1997 3:14, Julian Elischer [SMTP:julian@whistle.com] wrote:
> 
> instead of the divert port number 
> (the process knows thin information anyway), the rule number from
> which the diversion occured. Also, on sendto() the port number
> could represent the rule number  to restart processing from.
> in other words, if the number was 1000, processing would begin at 1001.
> 
> this would allow a divert process to leave the same number there
> that it received, and to avoid loops in that way because the process
> ing would start at the NEXT rule.
> 
> present programs probably just copy this number across, so
> I guess it would be a transparent change to most of them.
> 
> does it leave us open to security holes that were
> blocked before? (see the reason archie gave above)?
> is this a real threat?
> can it be proven to (not be)/(be) a threat?
> 
> I think this would be an easy change to make.
> what do the USERS think (divert users).
> 

	Why not - at last natd won't mind, since it just copies
	the port number. However, change might cause problems
	with existing ipfw configurations if there are pass/deny rules
	before divert rules.

		Ari S.