From owner-freebsd-bugs Wed May 10 4:10:10 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id B6F0E37B684 for ; Wed, 10 May 2000 04:10:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id EAA50994; Wed, 10 May 2000 04:10:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Wed, 10 May 2000 04:10:06 -0700 (PDT) Message-Id: <200005101110.EAA50994@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Ruslan Ermilov Subject: Re: bin/18354: NATD diverts DMZ packets to firewall host Reply-To: Ruslan Ermilov Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR bin/18354; it has been noted by GNATS. From: Ruslan Ermilov To: Charles Mott Cc: Brian Somers , goran.lowkrantz@infologigruppen.se, freebsd-gnats-submit@FreeBSD.org, Eivind Eklund , Ari Suutari Subject: Re: bin/18354: NATD diverts DMZ packets to firewall host Date: Wed, 10 May 2000 13:57:51 +0300 On Wed, May 10, 2000 at 12:38:36AM -0600, Charles Mott wrote: > > We decided to ask about the original intentions and decide what to do > > based on the outcome, but haven't received a reply from Charles (cc'd > > as a gentle poke) yet. > > The original intention was that libalias would be cognizant > of certain protocols (tcp, udp, icmp to start out with) and > not alter or drop any other protocols. My opinion at the time > was that ipfw rules should deal with other protocols. > > However, it appears that libalias is being generalized to > handle arbitrary protocols, and my original thinking may no > longer be appropriate. > > My suggestion is that incoming packets for arbitrary > protocols (and not associated with an static redirect rules > or dynamic associations) be dropped if the PKT_ALIAS_DENY_INCOMING > bit is set. > The question here is what to do if PKT_ALIAS_DENY_INCOMING is NOT SET! My opinion is that it should not be altered by libalias(3) at all. As of current, it is redirected (by default) to aliasAddress. As of PKT_ALIAS_DENY_INCOMING, is honored for TCP/UDP and generic proto packets. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message