Date: Tue, 25 Jul 2000 20:14:35 -0400 From: Bill Fumerola <billf@chimesnet.com> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problems with natd and simple firewall Message-ID: <20000725201435.Q51462@jade.chc-chimes.com> In-Reply-To: <200007260007.UAA08510@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Jul 25, 2000 at 08:07:02PM -0400 References: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> <200007252128.OAA52048@gndrsh.dnsmgr.net> <20000725193941.P51462@jade.chc-chimes.com> <200007260007.UAA08510@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 25, 2000 at 08:07:02PM -0400, Garrett Wollman wrote:
> <<On Tue, 25 Jul 2000 19:39:41 -0400, Bill Fumerola <billf@chimesnet.com> said:
>
> > (short of checking the route back before allowing the packet, which is more
> > costly etc etc, cisco has something that does this).
>
> Yep. Great feature, and it wouldn't be at all hard to implement in
> FreeBSD (it should be pretty obvious how to add the check in
> ip_forward()). Of course, even if you do that, you still need to
> filter out the ``bad'' addresses:
I've pretty much been consumed with the 2k lines of ip_fw.c recently
so I have a decent knowledge of how it works now (scary..), would this
be something we'd want to do within ipfw or as a seperate entity?
Is there more data (whitepapers, etc) on what the cisco products do?
--
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
billf@chimesnet.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000725201435.Q51462>