Date: Sun, 17 Feb 2002 01:00:02 -0800 (PST) From: Igor M Podlesny <poige@morning.ru> To: freebsd-bugs@FreeBSD.org Subject: Re[2]: misc/35022: network broadcast addresses may be used for communications with the system just as well as if it was her own. Message-ID: <200202170900.g1H902w66596@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/35022; it has been noted by GNATS. From: Igor M Podlesny <poige@morning.ru> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re[2]: misc/35022: network broadcast addresses may be used for communications with the system just as well as if it was her own. Date: Sun, 17 Feb 2002 15:51:23 +0700 > I don't think 'me' not matching the broadcast address is in itself a > problem. I said the problem is the ip_input.c considers packets as "ours" more widely than IPFW's 'me'. > The example of, 'deny ip from any to me,' demonstrates why it > is bad to explicitly deny. Use an explicit pass and default to deny. alas, ipfw's syntax doesn't allow implement this idea cleary and flexible. whereas, BSDi's ipfw do. also as Linux 2.4 netfilter. I wrote about it before. > I also think 'me' works as advertised, yeah. it does. > Specifying me makes the rule match any IP address configured on > an interface in the system. > If you want to block a broadcast address in addition to the ones > assigned to the interface, do so. yeah, of course. I think about deny ip from any to broadcast and, may be deny ip from any to network But my patch is just a quick hack and the above requires much more skills, knowledge and time in order to implement it. So I just can't afford it for now. But certainly I'm thinking about it. > But there was mention of another behavior that is a bug. You _can_ > establish a TCP connection to a FreeBSD machine with the destination > being the broadcast address. This is oh so Very Very Bad. And it > breaks the Standard (the Standard being everyone's favorite, RFC1122), > 4.2.3.10 Remote Address Validation > ... > A TCP implementation MUST silently discard an incoming SYN > segment that is addressed to a broadcast or multicast > address. yep. BTW it declares TCP only? -- Igor M Podlesny a.k.a. Poige phone (work): +7 3912 362536 http://www.morning.ru/~poige To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202170900.g1H902w66596>