From owner-freebsd-security Tue Jun 11 01:19:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA12832 for security-outgoing; Tue, 11 Jun 1996 01:19:11 -0700 (PDT) Received: from valis.worldgate.com (root@valis.worldgate.com [198.161.84.2]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA12827; Tue, 11 Jun 1996 01:19:08 -0700 (PDT) Received: from gras-varg.worldgate.com (root@gras-varg.worldgate.com [198.161.84.12]) by valis.worldgate.com (8.6.12/8.6.12) with ESMTP id CAA05219; Tue, 11 Jun 1996 02:19:01 -0600 Received: (from skafte@localhost) by gras-varg.worldgate.com (8.7.5/8.6.12) id CAA00736; Tue, 11 Jun 1996 02:19:00 -0600 (MDT) From: Greg Skafte Message-Id: <199606110819.CAA00736@gras-varg.worldgate.com> Subject: IP Firewall gotchas To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org, freebsd-questions@worldgate.com Date: Tue, 11 Jun 1996 02:18:59 -0600 (MDT) X-Mailer: ELM [version 2.4ME+ PL14 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk After much experimenting I have noticed, that the current version of ip_fw.c etc. in freebsd _stable_ does not have any provisions for igmp or ip multicast. So I have had to open the firewall a little wider that I would like to accomadate this scenario. I was expermenting with gated 3.5beta3 to talk to our ospf routers and noticed depending on the rules I selected, there were no ospf transfers. After a few tcpdumps and careful placement of packet accounting I found that the total in and out packets did not exactly match the various rule sets. guess why ospf uses multicast and igmp packets. Has any one hacked ip_fw.[c,h] and ipfw to allow for more _modern_ ip support or is this stuff hiding in _current_. would people be interested in hacking ip_fw.[c,h] to assist in these higher order ip functions .... I dont normally read the mail lists so write directly to me and I will mail a summary to the appropriate lists. -- Internet: skafte@worldgate.com Voice: +403 428 0150 When things can't get any worse, they simplify themselves by getting a whole lot worse then complicated. A complete and utter disaster is the simplest thing in the world; it's preventing one that's complex.(janet morris)