From owner-freebsd-hackers Fri Dec 15 08:23:54 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA01417 for hackers-outgoing; Fri, 15 Dec 1995 08:23:54 -0800 (PST) Received: from gw.pinewood.nl (gw.pinewood.nl [192.31.139.9]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA01388 for ; Fri, 15 Dec 1995 08:23:46 -0800 (PST) Received: (from smap@localhost) by gw.pinewood.nl (8.6.12/8.6.12) id RAA08150; Fri, 15 Dec 1995 17:23:37 +0100 Received: from pwood1.pinewood.nl(192.168.1.10) by gw.pinewood.nl via smap (V1.3) id sma008148; Fri Dec 15 17:23:03 1995 Received: (from franky@localhost) by pwood1.pinewood.nl (8.6.12/8.6.12) id RAA00311; Fri, 15 Dec 1995 17:20:24 +0100 From: "Frank ten Wolde" Message-Id: <9512151720.ZM309@pwood1.pinewood.nl> Date: Fri, 15 Dec 1995 17:20:22 +0100 In-Reply-To: Nate Williams "Re: Order of rules in ip_fw chain" (Dec 15, 9:11) References: <9512151302.ZM27077@pwood1.pinewood.nl> <199512151611.JAA16380@rocky.sri.MT.net> X-Face: 'BsFf8'k.q?J#?|$D*,)/?sRB{woUK&9\5K{ERmT;VTSyNLBb?muLf>b:Pt&VTDw8YCaC]6 C!MRSMr5UNjZLa]fi? X-Mailer: Z-Mail (3.2.1 10oct95) To: Nate Williams , "Frank ten Wolde" Subject: Re: Order of rules in ip_fw chain Cc: hackers@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-hackers@freebsd.org Precedence: bulk On Dec 15, 9:11, Nate Williams wrote: > Subject: Re: Order of rules in ip_fw chain > > > > 1) I would suggest adding the following lines of code in > > .../sys/netinet/ip_fw.c, line 879: > > > > ifdef IPFIREWALL > > int > > ip_fw_ctl(stage, m) > > int stage; > > struct mbuf *m; > > { > > > > if (securelevel >= 2) { NEW > > return (EPERM); NEW > > } NEW > > Just out of curiousity, how are you adding the lines to the firewall > list *before* the machine goes multi-user? On my box, I can't simply > because the networking code isn't (yet) up and running. > Apparently FreeBSD allows you to add the ip_fw chains *before* the network interfaces are up. The above code is actually running on our firewall (FreeBSD of course :-). In /etc/rc, just after the local file systems have been mounted (line 81), I setup the ip_fw chain, followed by a sysctl kern.securelevel to bump it to 2. When you try to flush the chain (ipfw f f) you get: ipfw: setsockopt failed. This should become: ipfw: setsockopt failed (operation not permitted). or something similar. > > 2) I noticed that the order in which the fw checks incoming packets is > > *not* the same as the order in which the packet rules were added. > > IMHO this should be fixed. I have not had the time (yet) to have > > a look at the source myself, but will do so in the next few weeks. > > Ugen was supposed to be working on this a while back. I agree that > something should be done. His work was going to allow 'priority' based > rules, which I agree would be a good thing. Either that or allow the > rules to be listed in the same order in the kernel as they are added. > But, you'd need a way to modify the list in non-secure mode, so I think > the priority based approach is probably more flexible. > Tell me more about 'priority' based rules, I don't grasp the basic idea behind it (could be because it's Friday late-afternoon :-). Unless 'priority' based rules are a pretty neat idea, I would suggest to simply apply the rules as they are added to the chain. Packet filter rules are hard to understand/design, even without the OS altering the order of rules... > > Nate -Frank -- ---------------------------------------------------------------------- F.W. ten Wolde (PA3FMT) Pinewood Automation B.V. E-mail: franky@pinewood.nl Kluyverweg 2a Phone: +31-15 2682543 2629 HT Delft