From owner-freebsd-security  Fri Mar  1 04:38:18 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id EAA09167
          for security-outgoing; Fri, 1 Mar 1996 04:38:18 -0800 (PST)
Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id EAA09162
          for <security@freebsd.org>; Fri, 1 Mar 1996 04:38:13 -0800 (PST)
Message-Id: <199603011238.EAA09162@freefall.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA020833822; Fri, 1 Mar 1996 23:37:03 +1100
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: IP filtering strawman, comments please.
To: phk@critter.tfs.com (Poul-Henning Kamp)
Date: Fri, 1 Mar 1996 23:37:02 +1100 (EDT)
Cc: archie@tribe.com, security@freebsd.org
In-Reply-To: <2183.825675018@critter.tfs.com> from "Poul-Henning Kamp" at Mar 1, 96 11:10:18 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-security@freebsd.org
Precedence: bulk

In some mail from Poul-Henning Kamp, sie said:
> 
> > > And finally, what should be done when the rule matches:
> > > 
> > Howabout:
> > 
> > "remap X" Change the (source/dest) network number to X from whatever
> >           it was. This would provide very easy network address translation
> >           in the case that the two netmask widths are identical. This could
> >           be a big feature if people have to start renumbering their
> >           networks but aren't ready yet... cf. rfc1900.
> > 
> >           The more general case (such as remapping an entire network
> >           into a single IP address) is slightly harder, since you have
> >           to remember what UDP/TCP ports you have mapped to as well, 
> >           time them out, sniff FTP packets, etc... but it can and has
> >           been done...
> I would rather leave this to a user-land process by using the divert
> trick.  I'm trying to get maximum mileage from the minimum kernel-code.
[...]
> > "divert" would be great for security auditing purposes.
> and other things too.  remember that packet can be reinjected after
> being chewed on.

"remap" and "divert" are two sides of the same coin.

Doing things in userland is nice/safe, BUT (big BUT), there is a significant
performance hit.

darren