From owner-freebsd-hackers Fri Dec 15 04:04:47 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id EAA17207 for hackers-outgoing; Fri, 15 Dec 1995 04:04:47 -0800 (PST) Received: from gw.pinewood.nl (gw.pinewood.nl [192.31.139.9]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id EAA17198 for ; Fri, 15 Dec 1995 04:04:44 -0800 (PST) Received: (from smap@localhost) by gw.pinewood.nl (8.6.12/8.6.12) id NAA01256 for ; Fri, 15 Dec 1995 13:04:38 +0100 Received: from pwood1.pinewood.nl(192.168.1.10) by gw.pinewood.nl via smap (V1.3) id sma001254; Fri Dec 15 13:03:41 1995 Received: (from franky@localhost) by pwood1.pinewood.nl (8.6.12/8.6.12) id NAA27079 for hackers@freebsd.org; Fri, 15 Dec 1995 13:02:17 +0100 From: "Frank ten Wolde" Message-Id: <9512151302.ZM27077@pwood1.pinewood.nl> Date: Fri, 15 Dec 1995 13:02:16 +0100 X-Face: 'BsFf8'k.q?J#?|$D*,)/?sRB{woUK&9\5K{ERmT;VTSyNLBb?muLf>b:Pt&VTDw8YCaC]6 C!MRSMr5UNjZLa]fi? X-Mailer: Z-Mail (3.2.1 15feb95) To: hackers@freebsd.org Subject: Order of rules in ip_fw chain Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-hackers@freebsd.org Precedence: bulk Hi, I have three questions/suggestions for discussion on the implementation of the ip firewall filter in FreeBSD 2.1.0. I would like to see who shares my ideas or if there are sound reasons why *not* to modify the existing implementation... Here I go: 1) I would suggest adding the following lines of code in .../sys/netinet/ip_fw.c, line 879: ifdef IPFIREWALL int ip_fw_ctl(stage, m) int stage; struct mbuf *m; { if (securelevel >= 2) { NEW return (EPERM); NEW } NEW if (stage == IP_FW_FLUSH) { free_fw_chain(&ip_fw_chain); return (0); } ... This would prevent any changes in the fw chain when running in very secure level. 2) I noticed that the order in which the fw checks incoming packets is *not* the same as the order in which the packet rules were added. IMHO this should be fixed. I have not had the time (yet) to have a look at the source myself, but will do so in the next few weeks. 3) I would suggest modifying ipfw.c to give some more informative message if the setsockopt call fails. Now it only lists something like "getsockopt failed", but it does not give you the reason. A simple perror("") would do the trick I suppose. I will try and have a look at the source code in the near future. Any discussion welcome. -Frank ten Wolde -- ---------------------------------------------------------------------- F.W. ten Wolde (PA3FMT) Pinewood Automation B.V. E-mail: franky@pinewood.nl Kluyverweg 2a Phone: +31-15 2682543 2629 HT Delft