Date: Mon, 4 Aug 1997 17:48:12 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: Archie Cobbs <archie@whistle.com> Cc: Ari Suutari <ari.suutari@ps.carel.fi>, owensc@enc.edu, freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW-DIVERT change. WAS:[ipfw rules processing order..] Message-ID: <Pine.BSF.3.95.970804174644.2726A-100000@current1.whistle.com> In-Reply-To: <199708041948.MAA29091@bubba.whistle.com>
next in thread | previous in thread | raw e-mail | index | archive | help
maybe I will later I'm still in the UK for a day however.. julian On Mon, 4 Aug 1997, Archie Cobbs wrote: > > > > instead of the divert port number > > > (the process knows thin information anyway), the rule number from > > > which the diversion occured. Also, on sendto() the port number > > > could represent the rule number to restart processing from. > > > in other words, if the number was 1000, processing would begin at 1001. > > > > > > this would allow a divert process to leave the same number there > > > that it received, and to avoid loops in that way because the process > > > ing would start at the NEXT rule. > > > > > > present programs probably just copy this number across, so > > > I guess it would be a transparent change to most of them. > > > > > > does it leave us open to security holes that were > > > blocked before? (see the reason archie gave above)? > > > is this a real threat? > > > can it be proven to (not be)/(be) a threat? > > > > > > I think this would be an easy change to make. > > > what do the USERS think (divert users). > > > > Why not - at last natd won't mind, since it just copies > > the port number. However, change might cause problems > > with existing ipfw configurations if there are pass/deny rules > > before divert rules. > > Who wants to come up with a patch? I don't have time to at the moment. > > -Archie > > ___________________________________________________________________________ > Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970804174644.2726A-100000>