Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 15 Dec 1995 15:28:46 -0800
From:      gpalmer@westhill.cdrom.com
To:        "Frank ten Wolde" <franky@pinewood.nl>
Cc:        hackers@freebsd.org
Subject:   Re: Order of rules in ip_fw chain 
Message-ID:  <15305.819070126@westhill.cdrom.com>
In-Reply-To: Your message of "Fri, 15 Dec 1995 13:02:16 %2B0100." <9512151302.ZM27077@pwood1.pinewood.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Frank ten Wolde" wrote in message ID
<9512151302.ZM27077@pwood1.pinewood.nl>:
> 1) I would suggest adding the following lines of code in 
>    .../sys/netinet/ip_fw.c, line 879:
> 
> 	ifdef IPFIREWALL 
> 	int
> 	ip_fw_ctl(stage, m)
> 	    int stage;
> 	    struct mbuf *m; 
> 	{
>   
> 	    if (securelevel >= 2) {			NEW
> 	        return (EPERM);				NEW
> 	    }   					NEW
> 	    if (stage == IP_FW_FLUSH) {
> 	        free_fw_chain(&ip_fw_chain);
> 	        return (0);
> 	    }   
> 	    ...

>    This would prevent any changes in the fw chain when running in
>    very secure level.

Nice idea, but running at secure levels >>0 is not something I want to
look at yet. If nothing else, the only reason I would do it would be
to set the sappend flag on the log files to prevent people tinkering
with them, but how would you rotate them? :-( Taking the machine
offline is NOT an option.

> 2) I noticed that the order in which the fw checks incoming packets is
>    *not* the same as the order in which the packet rules were added.
>    IMHO this should be fixed.  I have not had the time (yet) to have
>    a look at the source myself, but will do so in the next few weeks.

This is documented, and I have to agree with the authors idea that
most people do NOT know what they are doing when playing with the
firewall stuff and need some handholding. He does agree with me,
however, that we need an ``I know what I'm doing'' flag which inserts
the rules into the chain in the order they are submitted.

> 3) I would suggest modifying ipfw.c to give some more informative
>    message if the setsockopt call fails.  Now it only lists something
>    like "getsockopt failed", but it does not give you the reason.
>    A simple perror("") would do the trick I suppose.  I will try and
>    have a look at the source code in the near future.

Definately.

Gary

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15305.819070126>