From owner-freebsd-security  Fri Mar  1 02:10:31 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id CAA01706
          for security-outgoing; Fri, 1 Mar 1996 02:10:31 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id CAA01701
          for <security@freebsd.org>; Fri, 1 Mar 1996 02:10:28 -0800 (PST)
Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0tsRn5-0003vrC; Fri, 1 Mar 96 02:10 PST
Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id LAA02185; Fri, 1 Mar 1996 11:10:21 +0100
X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol
To: Archie Cobbs <archie@tribe.com>
cc: security@freebsd.org
Subject: Re: IP filtering strawman, comments please. 
In-reply-to: Your message of "Thu, 29 Feb 1996 18:18:30."
             <199603010218.SAA05571@bubba.tribe.com> 
Date: Fri, 01 Mar 1996 11:10:18 +0100
Message-ID: <2183.825675018@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-security@freebsd.org
Precedence: bulk

> > And finally, what should be done when the rule matches:
> > 
> Howabout:
> 
> "remap X" Change the (source/dest) network number to X from whatever
>           it was. This would provide very easy network address translation
>           in the case that the two netmask widths are identical. This could
>           be a big feature if people have to start renumbering their
>           networks but aren't ready yet... cf. rfc1900.
> 
>           The more general case (such as remapping an entire network
>           into a single IP address) is slightly harder, since you have
>           to remember what UDP/TCP ports you have mapped to as well, 
>           time them out, sniff FTP packets, etc... but it can and has
>           been done...
I would rather leave this to a user-land process by using the divert
trick.  I'm trying to get maximum mileage from the minimum kernel-code.

The kernel-code needs to be audited very very carefully, so I don't want
to bloat it with little used functionality, that could just as well
be done in user-land.

> "divert" would be great for security auditing purposes.
and other things too.  remember that packet can be reinjected after
being chewed on.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.