Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 21 Jul 2014 13:46:28 +0200
From:      Andreas Nilsson <andrnils@gmail.com>
To:        sthaug@nethelp.no
Cc:        Maxim Khitrov <max@mxcrypt.com>, Current FreeBSD <freebsd-current@freebsd.org>, Mailinglists FreeBSD <freebsd-questions@freebsd.org>
Subject:   Re: Future of pf / firewall in FreeBSD ? - does it have one ?
Message-ID:  <CAPS9%2BSsCQr1ME8gX7%2Bh_8s_1wwC3kg-9=_JhynJZ8pM6e5-qYw@mail.gmail.com>
In-Reply-To: <20140721.085616.74744313.sthaug@nethelp.no>
References:  <CAPS9%2BStPJRVSFLjpxgVEewT9fwHHFxw=qODAYa=uOAzb-V=v2Q@mail.gmail.com> <20140721.074105.74747815.sthaug@nethelp.no> <CAPS9%2BSsSmxZnTF8AEmEmWtGOd_8A%2Bd_8cYUYhuC3OsLYFxGHGQ@mail.gmail.com> <20140721.085616.74744313.sthaug@nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jul 21, 2014 at 8:56 AM, <sthaug@nethelp.no> wrote:

> > > > Also, the openbsd stack has some essential features missing in
> freebsd,
> > > > like mpls and md5 auth for bgp sessions.
> > >
> > > I use MD5 auth for BGP sessions every day (and have been doing so for
> > > several releases). One could definitely wish for better integration -
> > > having to specify MD5 key both in /etc/ipsec.conf and in the Quagga
> > > bgpd config is not nice. But it works.
> > >
> > As far as I know you can only send out correctly authed stuff but not
> > validate incoming. Has that changed?
>
> Have a look at tcp_signature_verify(), called from tcp_input.c. Added
> in r221023, see
>
> http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=log
>
> Steinar Haug, Nethelp consulting, sthaug@nethelp.no
>
> ----------------------------------------------------------------------
>
> Revision 221023 - (view) (download) (annotate) - [select for diffs]
> Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by attilio
> File length: 106717 byte(s)
> Diff to previous 220560
> Add the possibility to verify MD5 hash of incoming TCP packets.
> As long as this is a costy function, even when compiled in (along with
> the option TCP_SIGNATURE), it can be disabled via the
> net.inet.tcp.signature_verify_input sysctl.
>
> Sponsored by:                       Sandvine Incorporated
> Reviewed by:                        emaste, bz
> MFC after:                          2 weeks
>
> I stand corrected. Excellent news ( for me, that is) :)

Best regards
Andeas

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPS9%2BSsCQr1ME8gX7%2Bh_8s_1wwC3kg-9=_JhynJZ8pM6e5-qYw>