From owner-freebsd-ipfw  Thu Aug 15  0:26:15 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2321D37B400
	for <ipfw@freebsd.org>; Thu, 15 Aug 2002 00:26:14 -0700 (PDT)
Received: from swan.mail.pas.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C1EA443E6A
	for <ipfw@freebsd.org>; Thu, 15 Aug 2002 00:26:13 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0107.cvx40-bradley.dialup.earthlink.net ([216.244.42.107] helo=mindspring.com)
	by swan.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 17fF1I-00054f-00; Thu, 15 Aug 2002 00:26:12 -0700
Message-ID: <3D5B547A.E29F61BA@mindspring.com>
Date: Thu, 15 Aug 2002 00:12:58 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Luigi Rizzo <rizzo@icir.org>
Cc: ipfw@freebsd.org
Subject: Re: RFC: new mbuf flag bit needed
References: <20020815000720.B24495@iguana.icir.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Luigi Rizzo wrote:
> ipfw does this using two specific hacks:
>   + ICMP packets will not generate a response even on "unreach" rules;
>   + TCP packets with the RST bit set will not generate a response
>     on "unreach" rules)
> 
> ipfw2 has a harder time because keepalives have nothing very
> distinguishable in them (except sequence numbers which refer to old
> data; but to detect them requests a lookup of the stateful entry).

Why does ipfw2 not do it exactly the way ipfw does it?  I don't
understand why it has a harder time, since it has all the same
information.


> So my proposal is to use a different method, and use one of the
> m_pkthdr.flags bits as a marker that the packet should bypass the
> firewall. I can restrict the change to just ip_fw2.c so no other
> parts of the system will need to be modified, except sys/mbuf.h for
> the definition of the new bit if we want to give it a meaningful name.

Ugh.  So all you have to really do is figure a way to force
this bit to get set in data, and you can bypass the firewall
with all you hack packets?


-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message