Date: Mon, 31 Jul 2000 22:17:19 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: trish@bsdunix.net (Siobhan Patricia Lynch) Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <200007311217.WAA24806@cairo.anu.edu.au> In-Reply-To: <Pine.BSO.4.21.0007310052430.21752-100000@superconductor.rush.net> from Siobhan Patricia Lynch at "Jul 31, 0 00:53:27 am"
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Siobhan Patricia Lynch, sie said: > because I'm bridging.... > > this may just be hearsay, but evidently ipf doesn;t work with freebsd and > bridging, I have the "firewall" on one wire into the arrowpoint. Well, if you're doing layer 2 forwarding (i.e. bridging) then of course layer 3 filtering (IP firewalling) is going to be a problem. I could give you a patch to enable IP Filter to work here but I'm not sure I want to give implicit support to that sort of "thing". Heck, I look at it now (haven't before) and instantly see a bunch of ways to crash FreeBSD because a bunch of sanity checks are not being done before ip_fw_chk() is called if I can write layer 2 packets for FreeBSD to bridge - and that's without even testing. In essence, a bunch of code from the start of ip_input() needs do be duplicated and hasn't. That it is needed for what you want to do (ipfw for bridging) should speak volumes about this being the wrong way to skin this particular cat. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007311217.WAA24806>