From owner-freebsd-hackers  Mon Aug  4 12:48:56 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA22830
          for hackers-outgoing; Mon, 4 Aug 1997 12:48:56 -0700 (PDT)
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA22825
          for <freebsd-hackers@FreeBSD.ORG>; Mon, 4 Aug 1997 12:48:53 -0700 (PDT)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id MAA21355; Mon, 4 Aug 1997 12:48:22 -0700 (PDT)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma021353; Mon Aug  4 12:48:06 1997
Received: (from archie@localhost) by bubba.whistle.com (8.8.5/8.6.12) id MAA29091; Mon, 4 Aug 1997 12:48:06 -0700 (PDT)
From: Archie Cobbs <archie@whistle.com>
Message-Id: <199708041948.MAA29091@bubba.whistle.com>
Subject: Re: IPFW-DIVERT change. WAS:[ipfw rules processing order..]
In-Reply-To: <01BCA0BC.ED773680@ari.suutari@ps.carel.fi> from Ari Suutari at "Aug 4, 97 09:58:14 am"
To: ari.suutari@ps.carel.fi (Ari Suutari)
Date: Mon, 4 Aug 1997 12:48:06 -0700 (PDT)
Cc: julian@whistle.com, owensc@enc.edu, freebsd-hackers@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


> > instead of the divert port number 
> > (the process knows thin information anyway), the rule number from
> > which the diversion occured. Also, on sendto() the port number
> > could represent the rule number  to restart processing from.
> > in other words, if the number was 1000, processing would begin at 1001.
> > 
> > this would allow a divert process to leave the same number there
> > that it received, and to avoid loops in that way because the process
> > ing would start at the NEXT rule.
> > 
> > present programs probably just copy this number across, so
> > I guess it would be a transparent change to most of them.
> > 
> > does it leave us open to security holes that were
> > blocked before? (see the reason archie gave above)?
> > is this a real threat?
> > can it be proven to (not be)/(be) a threat?
> > 
> > I think this would be an easy change to make.
> > what do the USERS think (divert users).
> 
> 	Why not - at last natd won't mind, since it just copies
> 	the port number. However, change might cause problems
> 	with existing ipfw configurations if there are pass/deny rules
> 	before divert rules.

Who wants to come up with a patch? I don't have time to at the moment.

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com