From owner-freebsd-hackers Mon Aug 4 17:53:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA09381 for hackers-outgoing; Mon, 4 Aug 1997 17:53:52 -0700 (PDT) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA09373 for ; Mon, 4 Aug 1997 17:53:50 -0700 (PDT) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id RAA18349; Mon, 4 Aug 1997 17:50:27 -0700 (PDT) Received: from current1.whistle.com(207.76.205.22) via SMTP by alpo.whistle.com, id smtpd018343; Tue Aug 5 00:50:19 1997 Date: Mon, 4 Aug 1997 17:48:12 -0700 (PDT) From: Julian Elischer To: Archie Cobbs cc: Ari Suutari , owensc@enc.edu, freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW-DIVERT change. WAS:[ipfw rules processing order..] In-Reply-To: <199708041948.MAA29091@bubba.whistle.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk maybe I will later I'm still in the UK for a day however.. julian On Mon, 4 Aug 1997, Archie Cobbs wrote: > > > > instead of the divert port number > > > (the process knows thin information anyway), the rule number from > > > which the diversion occured. Also, on sendto() the port number > > > could represent the rule number to restart processing from. > > > in other words, if the number was 1000, processing would begin at 1001. > > > > > > this would allow a divert process to leave the same number there > > > that it received, and to avoid loops in that way because the process > > > ing would start at the NEXT rule. > > > > > > present programs probably just copy this number across, so > > > I guess it would be a transparent change to most of them. > > > > > > does it leave us open to security holes that were > > > blocked before? (see the reason archie gave above)? > > > is this a real threat? > > > can it be proven to (not be)/(be) a threat? > > > > > > I think this would be an easy change to make. > > > what do the USERS think (divert users). > > > > Why not - at last natd won't mind, since it just copies > > the port number. However, change might cause problems > > with existing ipfw configurations if there are pass/deny rules > > before divert rules. > > Who wants to come up with a patch? I don't have time to at the moment. > > -Archie > > ___________________________________________________________________________ > Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com >