Date: Fri, 01 Mar 1996 11:10:18 +0100 From: Poul-Henning Kamp <phk@critter.tfs.com> To: Archie Cobbs <archie@tribe.com> Cc: security@freebsd.org Subject: Re: IP filtering strawman, comments please. Message-ID: <2183.825675018@critter.tfs.com> In-Reply-To: Your message of "Thu, 29 Feb 1996 18:18:30." <199603010218.SAA05571@bubba.tribe.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > And finally, what should be done when the rule matches: > > > Howabout: > > "remap X" Change the (source/dest) network number to X from whatever > it was. This would provide very easy network address translation > in the case that the two netmask widths are identical. This could > be a big feature if people have to start renumbering their > networks but aren't ready yet... cf. rfc1900. > > The more general case (such as remapping an entire network > into a single IP address) is slightly harder, since you have > to remember what UDP/TCP ports you have mapped to as well, > time them out, sniff FTP packets, etc... but it can and has > been done... I would rather leave this to a user-land process by using the divert trick. I'm trying to get maximum mileage from the minimum kernel-code. The kernel-code needs to be audited very very carefully, so I don't want to bloat it with little used functionality, that could just as well be done in user-land. > "divert" would be great for security auditing purposes. and other things too. remember that packet can be reinjected after being chewed on. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2183.825675018>