Date: Mon, 4 Aug 1997 12:48:06 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: ari.suutari@ps.carel.fi (Ari Suutari) Cc: julian@whistle.com, owensc@enc.edu, freebsd-hackers@FreeBSD.ORG Subject: Re: IPFW-DIVERT change. WAS:[ipfw rules processing order..] Message-ID: <199708041948.MAA29091@bubba.whistle.com> In-Reply-To: <01BCA0BC.ED773680@ari.suutari@ps.carel.fi> from Ari Suutari at "Aug 4, 97 09:58:14 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > instead of the divert port number > > (the process knows thin information anyway), the rule number from > > which the diversion occured. Also, on sendto() the port number > > could represent the rule number to restart processing from. > > in other words, if the number was 1000, processing would begin at 1001. > > > > this would allow a divert process to leave the same number there > > that it received, and to avoid loops in that way because the process > > ing would start at the NEXT rule. > > > > present programs probably just copy this number across, so > > I guess it would be a transparent change to most of them. > > > > does it leave us open to security holes that were > > blocked before? (see the reason archie gave above)? > > is this a real threat? > > can it be proven to (not be)/(be) a threat? > > > > I think this would be an easy change to make. > > what do the USERS think (divert users). > > Why not - at last natd won't mind, since it just copies > the port number. However, change might cause problems > with existing ipfw configurations if there are pass/deny rules > before divert rules. Who wants to come up with a patch? I don't have time to at the moment. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708041948.MAA29091>