From owner-freebsd-security  Tue Jan 25 11:34:38 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id 2188514F57
	for <security@FreeBSD.ORG>; Tue, 25 Jan 2000 11:34:35 -0800 (PST)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA71614;
	Tue, 25 Jan 2000 11:34:12 -0800 (PST)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200001251934.LAA71614@gndrsh.dnsmgr.net>
Subject: Re: Merged patches
In-Reply-To: <200001251733.JAA04770@apollo.backplane.com> from Matthew Dillon at "Jan 25, 2000 09:33:16 am"
To: dillon@apollo.backplane.com (Matthew Dillon)
Date: Tue, 25 Jan 2000 11:34:11 -0800 (PST)
Cc: imp@village.org (Warner Losh), security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> :this patch.  I'm thinking seriously of removing the ICMP_BANDLIM
> :option as an option (eg compile the code in no matter what), but
> :raising the limit from 100 to 1000 or something like that so it won't
> :normally impact people, but those desiring to harden their servers can
> :drift the number downward.
> :
> :Comment?
> :
> :Warner
> 
>     I'd increase the default to 200, no higher.  1000 is probably too
>     high a rate.
> 
>     I found a bug in the patch:
> 
> : #endif
> :-		if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
> :-			goto drop;
> :+		if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) ||
> :+		    IN_MULTICAST(ntohl(ip->ip_src.s_addr)) ||
> :+		    IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr)))

And yet another bugger.... you just made it impossible for anyone
doing work with the EXPERIMENTAL block at 240.0.0.0/8 on FreeBSD
using TCP without hacking the kernel code.  Please remove the
last check here.

This one is best handled by ipfw or ipfilter, not by kernel policy.
These are _NOT_ multicast addresses, they are simple ``reserved''
for expermintal usage!


-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message