Date: Wed, 17 Jan 1996 13:56:08 -0700 From: Nate Williams <nate@sri.MT.net> To: Archie Cobbs <archie@tribe.com> Cc: freebsd-questions@FreeBSD.org Subject: Re: IP firewall question Message-ID: <199601172056.NAA09226@rocky.sri.MT.net> In-Reply-To: <199601171941.LAA28668@bubba.tribe.com> References: <199601171941.LAA28668@bubba.tribe.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> While investigating FreeBSD's IP firewall (ipfw(4)) stuff, I heard > this claim somewhere: "FreeBSD's firewall code reorders rules, and > is therefore bad because this can change the intent of the rule list". This is true. > I understand how applying rules in a different order can change the > semantics of the firewall... but can someone explain exactly how and > why the FreeBSD code does this? Why is does it is because apparently getting the rules correct is error-prone, so the author decided to re-order them to make them more likely to do what was intended. Whether or not this is valid is subject to discussion. > Also, is there some method of adding the rules which guarantees > the order in which they are applied? I'm willing to work on fixing > it if there is a need. You've got the sources, it's easy to remove the re-ordering code from the kernel. Someone even posted a diff to the list late last year which basically ifdef'd out the re-order code. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601172056.NAA09226>