From owner-freebsd-security Mon Jul 31 6: 7:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from superconductor.rush.net (superconductor.rush.net [208.9.155.8]) by hub.freebsd.org (Postfix) with ESMTP id 1E29937BAB8 for ; Mon, 31 Jul 2000 06:07:15 -0700 (PDT) (envelope-from trish@bsdunix.net) Received: from localhost (trish@localhost) by superconductor.rush.net (8.9.3/8.9.3) with ESMTP id JAA19463; Mon, 31 Jul 2000 09:07:01 -0400 (EDT) Date: Mon, 31 Jul 2000 09:07:01 -0400 (EDT) From: Siobhan Patricia Lynch X-Sender: trish@superconductor.rush.net To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) In-Reply-To: <200007311217.WAA24806@cairo.anu.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org unfortunately, it was put in as a stop gap. you have to remember that certain people were opposed to me doing ANYTHING at first, however I have not had a problem to date. and the traffic flowing through it is quite heavy. noone is going to convince me that ipfw is the wrong thing for the job, maybe not the *best* thing, but that simply means that I would have needed an openbsd disk in an emergency at that particular time and had I had the cd's , well we wouldn;t be having this discussion on a *freebsd* list, eh? -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Mon, 31 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > because I'm bridging.... > > > > this may just be hearsay, but evidently ipf doesn;t work with freebsd and > > bridging, I have the "firewall" on one wire into the arrowpoint. > > Well, if you're doing layer 2 forwarding (i.e. bridging) then of course > layer 3 filtering (IP firewalling) is going to be a problem. > > I could give you a patch to enable IP Filter to work here but I'm not > sure I want to give implicit support to that sort of "thing". > > Heck, I look at it now (haven't before) and instantly see a bunch of > ways to crash FreeBSD because a bunch of sanity checks are not being > done before ip_fw_chk() is called if I can write layer 2 packets for > FreeBSD to bridge - and that's without even testing. In essence, a > bunch of code from the start of ip_input() needs do be duplicated and > hasn't. That it is needed for what you want to do (ipfw for bridging) > should speak volumes about this being the wrong way to skin this > particular cat. > > Darren > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message