Date: Wed, 25 Oct 2000 02:00:08 -0700 (PDT) From: Robin Melville <robmel@innotts.co.uk> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/22238: User PPP "deny_incoming" option does not deny incoming connections Message-ID: <200010250900.CAA39907@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/22238; it has been noted by GNATS.
From: Robin Melville <robmel@innotts.co.uk>
To: freebsd-gnats-submit@FreeBSD.org
Cc: Ruslan Ermilov <ru@sunbay.com>, Brian Somers <brian@FreeBSD.org>,
robmel@nadt.org.uk, Eivind Eklund <eivind@FreeBSD.org>
Subject: Re: bin/22238: User PPP "deny_incoming" option does not deny
incoming connections
Date: Wed, 25 Oct 2000 09:52:27 +0100
Apologies for following up my own posts.
Following comments by Ruslan Ermilov I am submitting a revised patch
for this issue. This fixes the hole and causes ppp(8) to have the
same behaviour as the natd(8) daemon in relation to the deny_incoming
flag. It permits packets that are scrambled or otherwise unrecognised
by the libalias(3) engine when deny_incoming is not set but drops
them if it is.
The rationale for dropping scrambled or unrecognised packets as well
as connection attempts when deny_incoming is set is that the default
behaviour of a one-way firewall is to block packets which are not
responses to traffic originating from the interior of the firewall.
Since the aliasing engine is unable to confirm this for packets it
ignores, the safest action is to discard them.
Libalias(3) returns an ambiguous result code (PKT_ALIAS_IGNORED)
which serves to indicate both incoming scrambled or unrecognised
packets as well as packets for which a connection does not exist in
its rewriting table when PKT_ALIAS_DENY_INCOMING is set. However, the
response of ppp(8) to these conditions is unambiguous. Consequently
it makes more sense to fix ppp(8) rather than alter the interface to
libalias(3) by adding an additional result code.
Revised patch:
--- nat_cmd.c Sun Oct 22 11:22:01 2000
+++ nat_cmd+.c Wed Oct 25 07:59:24 2000
@@ -421,12 +421,20 @@
break;
case PKT_ALIAS_IGNORED:
- if (log_IsKept(LogTCPIP)) {
- log_Printf(LogTCPIP, "NAT engine ignored data:\n");
+ /* libalias(3) has ignored this packet. This may be either
because it does not
+ understand it or because deny_incoming is set and no link
exists in the aliasing
+ table. */
+ if (log_IsKept(LogTCPIP)) {
+ log_Printf(LogTCPIP, "NAT engine ignored packet:\n");
PacketCheck(bundle, MBUF_CTOP(bp), bp->m_len, NULL, NULL, NULL);
}
+ /* drop the packet if deny_incoming is set */
+ if (PacketAliasSetMode(0,0) & PKT_ALIAS_DENY_INCOMING) {
+ m_freem(bp);
+ bp = NULL;
+ }
break;
-
+
default:
log_Printf(LogWARN, "nat_LayerPull: Dropped a packet (%d)....\n", ret);
m_freem(bp);
--
Robin Melville, Addiction Information Services
Nottingham Alcohol & Drug Team
work: robmel@nadt.org.uk http://www.nadt.org.uk/
home: robmel@innotts.co.uk http://www.innotts.co.uk/~robmel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010250900.CAA39907>