Date: Thu, 5 Oct 2000 21:26:21 -0400 From: Bill Fumerola <billf@chimesnet.com> To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.c src/sys/netinet ip_fw.c ip_fw.h Message-ID: <20001005212621.U38472@jade.chc-chimes.com> In-Reply-To: <20001005202924.A63643@sunbay.com>; from ru@FreeBSD.org on Thu, Oct 05, 2000 at 08:29:24PM %2B0300 References: <200010020303.UAA99196@freefall.freebsd.org> <20001005202924.A63643@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 05, 2000 at 08:29:24PM +0300, Ruslan Ermilov wrote:
> > Add new fields for more granularity:
> > IP: version, tos, ttl, len, id
> > TCP: seq#, ack#, window size
> >
> What is the purpose of having the following modifiers?
> - ipversion (ipfw will only be passed IPv4 packets)
Even in the bridge case? If ipfw won't ever see anything but ipv4 packets
that are bridged (I admit I didn't really look into this too much), then
by all means back that part out.
> - ipid
> - tcpseq
> - tcpack
> How these can be really useful? I think they should be dropped.
Let me assure you that these are useful for dropping attacks from
poorly coded DDoS programs.
> The current implementation of iplen, ipttl and tcpwin modifiers
> does not seem interesting, because comparison is only limited to
> equality. I think they should be modified to accept the range
> of values, specified by lowest and highest boundaries, so one
> could specify `iplen 20-50' (20 <= iplen <= 50), `ipttl 0-5'
> (ipttl <= 5), etc.
The ipfw grammar, for lack of a better way to describe it, sucks ass.
There are _lots_ of fields that would benefit by the ability for lt, gt,
eq, etc... I have every intention of looking at what BSD/os has done
to ipfw to expand the grammar (I know they have) and try and bring our
ipfw along side theirs.
I have lots of plans for new functionality and even have a fair amount
of them already coded (*plug* attend my talk at bsdcon, and you'll see
them[1] *plug*)
> <PS>
> Bill, I have finished updating the manual, but do not want to
> commit the change before you answer my questions above.
> </PS>
Many thanks, I have no mdoc ability whatsoever and envy those who do.
--
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
billf@chimesnet.com / billf@FreeBSD.org
1. My talk/slides/code/etc will be publically available after the talk
as well, obviously everyone can't go to bsdcon for various reasons.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001005212621.U38472>