Date: Thu, 4 Jul 2002 14:41:57 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.org Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020704114157.GC36762@sunbay.com> In-Reply-To: <20020704043409.A26837@iguana.icir.org> References: <20020704043409.A26837@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote: > Hi, > i was looking at the implementation of ipfw rules which generate > a feedback packet back to the source (reset, reject and unreach) > and i realised that there is a potential problem here... > > Some ICMP packets generated by the host bypass the firewall, but > TCP RST do not, so they can be blocked themselves (this is the way > the old ipfw works, and there is code to prevent loops). > > I think policies should be consistent -- either all packets (including > icmps generated by the firewal) should go through the firewall again > (with proper countermeasures to avoid loops), or all packets generated > by the firewall should bypass the firewall and go to the correct > destination. > > So, what do we want to do ? > To have a sysctl knob that allows one to select the desired behavior. Not sure about the default value. Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9JDSFUkv4P6juNwoRAu8eAJ4s+9/HX4/7go4cRO6qfbaQhbhGWACfcbQv tw7Kc7rdGS/ppDIYqM92oKw= =IdsE -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020704114157.GC36762>