Date: Thu, 4 Jul 2002 14:41:57 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.org Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020704114157.GC36762@sunbay.com> In-Reply-To: <20020704043409.A26837@iguana.icir.org> References: <20020704043409.A26837@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--zCKi3GIZzVBPywwA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote: > Hi, > i was looking at the implementation of ipfw rules which generate > a feedback packet back to the source (reset, reject and unreach) > and i realised that there is a potential problem here... > =20 > Some ICMP packets generated by the host bypass the firewall, but > TCP RST do not, so they can be blocked themselves (this is the way > the old ipfw works, and there is code to prevent loops). >=20 > I think policies should be consistent -- either all packets (including > icmps generated by the firewal) should go through the firewall again > (with proper countermeasures to avoid loops), or all packets generated > by the firewall should bypass the firewall and go to the correct > destination. >=20 > So, what do we want to do ? >=20 To have a sysctl knob that allows one to select the desired behavior. Not sure about the default value. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --zCKi3GIZzVBPywwA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9JDSFUkv4P6juNwoRAu8eAJ4s+9/HX4/7go4cRO6qfbaQhbhGWACfcbQv tw7Kc7rdGS/ppDIYqM92oKw= =IdsE -----END PGP SIGNATURE----- --zCKi3GIZzVBPywwA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020704114157.GC36762>