From owner-freebsd-net  Wed Aug 16 23:35:23 2000
Delivered-To: freebsd-net@freebsd.org
Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184])
	by hub.freebsd.org (Postfix) with ESMTP id 8E02C37B550
	for <freebsd-net@FreeBSD.ORG>; Wed, 16 Aug 2000 23:35:19 -0700 (PDT)
	(envelope-from luigi@info.iet.unipi.it)
Received: (from luigi@localhost)
	by info.iet.unipi.it (8.9.3/8.9.3) id IAA03423;
	Thu, 17 Aug 2000 08:37:07 +0200 (CEST)
	(envelope-from luigi)
From: Luigi Rizzo <luigi@info.iet.unipi.it>
Message-Id: <200008170637.IAA03423@info.iet.unipi.it>
Subject: Re: [avalon@COOMBS.ANU.EDU.AU: Ip packet filtering with bridging on
 freebsd]
In-Reply-To: <20000817122736.A9181@outblaze.com> from Yusuf Goolamabbas at "Aug
 17, 2000 12:27:36 pm"
To: Yusuf Goolamabbas <yusufg@outblaze.com>
Date: Thu, 17 Aug 2000 08:37:07 +0200 (CEST)
Cc: freebsd-net@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL61 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Any comments to Darren's assertion ?

i would appreciate if he was giving more details on the
allegedly missing sanity checks.

Furthermore, and just for the records, the feature was not
copied in any way from openbsd -- the entire bridging code
and the ipfw integration was written from scratch, i did not
even know openbsd had that. so no wonder "large amounts of code
were not copied" -- no code was copied!

	cheers
	luigi
> -- 
> Yusuf Goolamabbas
> yusufg@outblaze.com

-- Start of included mail From:  Darren Reed <avalon@COOMBS.ANU.EDU.AU>

> Return-path:  <owner-bugtraq@SECURITYFOCUS.COM>
> Delivered-To:  yusufg@yusufg.portal2.com
> Delivered-To:  outblaze-yusufg@OUTBLAZE.COM
> Approved-By:  aleph1@SECURITYFOCUS.COM
> Delivered-To:  bugtraq@lists.securityfocus.com
> Delivered-To:  bugtraq@securityfocus.com
> Date:          Tue, 1 Aug 2000 07:14:50 +1000
> Reply-To:  Darren Reed <avalon@COOMBS.ANU.EDU.AU>
> Sender:  Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
> Subject:       Ip packet filtering with bridging on freebsd
> To:  BUGTRAQ@SECURITYFOCUS.COM

> If someone is doing packet filtering using ipfw to do packet filtering
> with a FreeBSD box configured to do bridging, it is relatively easy to
> make the box go "boom" as none of the standard header sanity checks
> are done prior to the filter routine being called (check /sys/net/bridge.c)
> It is a feature "copied" from OpenBSD but somehow large amounts of code
> were not copied and bugs resulted.
-- End of included mail.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message