From owner-freebsd-security Thu Nov 16 6:15:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 3AFFC37B4CF for ; Thu, 16 Nov 2000 06:15:49 -0800 (PST) Received: (qmail 24483 invoked by uid 0); 16 Nov 2000 14:15:47 -0000 Received: from p3ee21623.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.35) by mail.gmx.net (mail01) with SMTP; 16 Nov 2000 14:15:47 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id HAA04085 for freebsd-security@FreeBSD.ORG; Thu, 16 Nov 2000 07:29:01 +0100 Date: Thu, 16 Nov 2000 07:29:00 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: PPP NAT Gateway security Message-ID: <20001116072900.S27042@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <00c801c04dc4$12a89220$0200a8c0@n2> <20001114144513.A888@grok> <001c01c04e97$c69c3c90$0200a8c0@n2> <20001114211934.B888@grok> <20001115192259.Q27042@speedy.gsinet> <20001115125504.Q3759@grok> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001115125504.Q3759@grok>; from sreid@sea-to-sky.net on Wed, Nov 15, 2000 at 12:55:04PM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 15, 2000 at 12:55 -0800, Steve Reid wrote: > On Wed, Nov 15, 2000 at 07:22:59PM +0100, Gerhard Sittig wrote: > > ipf already has a feature like ppp's MYADDR -- specify > > 0.0.0.0/32 as the IP and issue "ipf -y" when interface > > configuration changes > > I can't get this to work with stock ipf in 4.1-R (ipf v3.4.8). > Nothing gets through. Is 0.0.0.0/32 a recent addition, or is it > or the operator just broken in 4.1-R? I'm not certain, but I have been using it with a 4.0-R plus cvsup machine here for quite a while. My rule of thumb would be: if it's in the examples, the code should handle it. I feel this be have been there for a while. But I didn't bother to consult the CVS log. > > If it's just for variable substitution or conditional > > "compilation", you might find my patch described in > > http://www.freebsd.org/cgi/query-pr.cgi?pr=21989 of interest. > > I thought I saw that mentioned somewhere. I haven't bothered > upgrading ipf though, as all the preprocessing I need can be > done in a few lines of shell script. Well, upgrading ipf won't help in this respect. It's a completely independent patch and probably won't make it into stock ipf, Darren is reluctant to accept it since - as you state yourself, too - it can as well be done outside of the program. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message