From owner-freebsd-hackers  Mon Aug  4 17:53:52 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id RAA09381
          for hackers-outgoing; Mon, 4 Aug 1997 17:53:52 -0700 (PDT)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA09373
          for <freebsd-hackers@FreeBSD.ORG>; Mon, 4 Aug 1997 17:53:50 -0700 (PDT)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id RAA18349;
	Mon, 4 Aug 1997 17:50:27 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd018343; Tue Aug  5 00:50:19 1997
Date: Mon, 4 Aug 1997 17:48:12 -0700 (PDT)
From: Julian Elischer <julian@whistle.com>
To: Archie Cobbs <archie@whistle.com>
cc: Ari Suutari <ari.suutari@ps.carel.fi>, owensc@enc.edu,
        freebsd-hackers@FreeBSD.ORG
Subject: Re: IPFW-DIVERT change. WAS:[ipfw rules processing order..]
In-Reply-To: <199708041948.MAA29091@bubba.whistle.com>
Message-ID: <Pine.BSF.3.95.970804174644.2726A-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


maybe I will later
I'm still in the UK for a day however..

julian


On Mon, 4 Aug 1997, Archie Cobbs wrote:

> 
> > > instead of the divert port number 
> > > (the process knows thin information anyway), the rule number from
> > > which the diversion occured. Also, on sendto() the port number
> > > could represent the rule number  to restart processing from.
> > > in other words, if the number was 1000, processing would begin at 1001.
> > > 
> > > this would allow a divert process to leave the same number there
> > > that it received, and to avoid loops in that way because the process
> > > ing would start at the NEXT rule.
> > > 
> > > present programs probably just copy this number across, so
> > > I guess it would be a transparent change to most of them.
> > > 
> > > does it leave us open to security holes that were
> > > blocked before? (see the reason archie gave above)?
> > > is this a real threat?
> > > can it be proven to (not be)/(be) a threat?
> > > 
> > > I think this would be an easy change to make.
> > > what do the USERS think (divert users).
> > 
> > 	Why not - at last natd won't mind, since it just copies
> > 	the port number. However, change might cause problems
> > 	with existing ipfw configurations if there are pass/deny rules
> > 	before divert rules.
> 
> Who wants to come up with a patch? I don't have time to at the moment.
> 
> -Archie
> 
> ___________________________________________________________________________
> Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com
>