From owner-freebsd-security  Mon Jul 31  5:17:43 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id B458337BA9C
	for <freebsd-security@FreeBSD.ORG>; Mon, 31 Jul 2000 05:17:31 -0700 (PDT)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id WAA24806;
	Mon, 31 Jul 2000 22:17:19 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200007311217.WAA24806@cairo.anu.edu.au>
Subject: Re: ipf or ipfw (was: log with dynamic firewall rules)
In-Reply-To: <Pine.BSO.4.21.0007310052430.21752-100000@superconductor.rush.net> from Siobhan Patricia Lynch at "Jul 31, 0 00:53:27 am"
To: trish@bsdunix.net (Siobhan Patricia Lynch)
Date: Mon, 31 Jul 2000 22:17:19 +1000 (EST)
Cc: freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL39 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Siobhan Patricia Lynch, sie said:
> because I'm bridging....
> 
> this may just be hearsay, but evidently ipf doesn;t work with freebsd and
> bridging, I have the "firewall" on one wire into the arrowpoint.

Well, if you're doing layer 2 forwarding (i.e. bridging) then of course
layer 3 filtering (IP firewalling) is going to be a problem.

I could give you a patch to enable IP Filter to work here but I'm not
sure I want to give implicit support to that sort of "thing".

Heck, I look at it now (haven't before) and instantly see a bunch of
ways to crash FreeBSD because a bunch of sanity checks are not being
done before ip_fw_chk() is called if I can write layer 2 packets for
FreeBSD to bridge - and that's without even testing.  In essence, a
bunch of code from the start of ip_input() needs do be duplicated and
hasn't.  That it is needed for what you want to do (ipfw for bridging)
should speak volumes about this being the wrong way to skin this
particular cat.

Darren


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message