From owner-freebsd-questions@FreeBSD.ORG Mon Jul 21 11:46:30 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 98B57EB1; Mon, 21 Jul 2014 11:46:30 +0000 (UTC) Received: from mail-oa0-x230.google.com (mail-oa0-x230.google.com [IPv6:2607:f8b0:4003:c02::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 53FB72A59; Mon, 21 Jul 2014 11:46:30 +0000 (UTC) Received: by mail-oa0-f48.google.com with SMTP id m1so7133741oag.35 for ; Mon, 21 Jul 2014 04:46:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zqKf21w9w3Z9QtqUIV4Z7vrpVa4Lziz1tFh1jQpWEW0=; b=Y2ZdQZnx9LFYJ5uzFrphCSFBThMHQ6J7ZHJdqA7qz1l8RgPHKQVBf5r14Mzr2gdUKW 16xK+5+swhQPLMlH87rwZzVr9MYDS0ANqcKV0uLSFe+5QjZDs2Kv9jaluyFHS4zTB+Sd 8bPGfqQda/5U3SXesUsAVCtN3fGihvZGZM3rfoxvXfNh7NawU3XKzMeNg+/yqdh3wsOD DxBTKS4ZTZgShzdVHzsLcX3Qa+sDNpMmnHS87knBgz7DmcMzSTnBkct5K6uy1KcG9TQW vIbSB5bo/drSqL5BmGsKwB2K2ZDV8s2YsaYWN/AlDwUBjVnAU4de71AevlabtJO4jfCF sPig== MIME-Version: 1.0 X-Received: by 10.182.133.69 with SMTP id pa5mr37089163obb.2.1405943188848; Mon, 21 Jul 2014 04:46:28 -0700 (PDT) Received: by 10.76.170.39 with HTTP; Mon, 21 Jul 2014 04:46:28 -0700 (PDT) In-Reply-To: <20140721.085616.74744313.sthaug@nethelp.no> References: <20140721.074105.74747815.sthaug@nethelp.no> <20140721.085616.74744313.sthaug@nethelp.no> Date: Mon, 21 Jul 2014 13:46:28 +0200 Message-ID: Subject: Re: Future of pf / firewall in FreeBSD ? - does it have one ? From: Andreas Nilsson To: sthaug@nethelp.no Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Maxim Khitrov , Current FreeBSD , Mailinglists FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2014 11:46:30 -0000 On Mon, Jul 21, 2014 at 8:56 AM, wrote: > > > > Also, the openbsd stack has some essential features missing in > freebsd, > > > > like mpls and md5 auth for bgp sessions. > > > > > > I use MD5 auth for BGP sessions every day (and have been doing so for > > > several releases). One could definitely wish for better integration - > > > having to specify MD5 key both in /etc/ipsec.conf and in the Quagga > > > bgpd config is not nice. But it works. > > > > > As far as I know you can only send out correctly authed stuff but not > > validate incoming. Has that changed? > > Have a look at tcp_signature_verify(), called from tcp_input.c. Added > in r221023, see > > http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=log > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > ---------------------------------------------------------------------- > > Revision 221023 - (view) (download) (annotate) - [select for diffs] > Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by attilio > File length: 106717 byte(s) > Diff to previous 220560 > Add the possibility to verify MD5 hash of incoming TCP packets. > As long as this is a costy function, even when compiled in (along with > the option TCP_SIGNATURE), it can be disabled via the > net.inet.tcp.signature_verify_input sysctl. > > Sponsored by: Sandvine Incorporated > Reviewed by: emaste, bz > MFC after: 2 weeks > > I stand corrected. Excellent news ( for me, that is) :) Best regards Andeas