Date: Sun, 22 Apr 2001 20:18:48 +0700 From: Igor Podlesny <poige@morning.ru> To: Bert Kellerman <bertke@charter.net> Cc: freebsd-security@freebsd.org Subject: Re[2]: ipfw problem Message-ID: <2410845404.20010422201848@morning.ru> In-Reply-To: <3AE2C731.13715531@charter.net> References: <68144568768.20010422130414@morning.ru> <3AE2C731.13715531@charter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
BK> I don't see a problem with the current implementation of not having
BK> ranges.
The same do I (almost). The only thing I almost (again this word)
prefer is flexibility -- if things could be made more flex, they
certainly should be made. It is a basis of all computer programming
(variables, indirect de-referencing, and so on).
BK> Most routed firewall configurations are built on top of a
BK> subnetted hierarchy,
Aha... but there is Point-to-point 'beast' which can to do not follow
this at all -- 10.0.0.1:192.168.255.1 is quite legal pair... (just an
example, without any connection to use of 10.1-192.168.255.1 range :)
BK> with each subnet having a different security
BK> policy. I think if you are trying to enfore different security policies
BK> for certain *ranges* of a subnet, then you should rethink your strategy
BK> and consider subnetting. In a solid network security architecture, the
BK> physical and layer3 topology should be consistent with your ip filtering
BK> design. Even if what I stated above it *not* true :) , then just learn
BK> to use the net/mask connotation...it's standard.
Thank you, but it seems you got me absolutely wrong, I'd recommend you
read my previous answer in the thread again :) I do use net/m.a.s.k or
net/mask and quite familiar with that system. (The common sense of my
reply was that implementing of ip1-ip2 checking isn't too hard and
wouldn't make firewall code too slow)
P.S. The reality is so, that one aim may be reached via different ways
-- the world is built so. So it is rather logical to have different
ways of ideas expressing (coding also ;).
And it is what UNIX stands on.
%)
BK> Regards,
BK> Bert
BK> Igor Podlesny wrote:
>>
>> PP> On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote:
>> >> Hi Peter,
>> >>
>> >> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow
>> >> ranges?? If the author listening...)
>> >>
>> >> I thought I had it for one minute, where I found that ${ip} isn't defined until later on
>> >> in the script. No such luck.
>>
>> PP> Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined
>> PP> until later? If so, has that solved your problem?
>>
>> PP> And about the ranges - ipfw(8) is only a controlling interface to the kernel
>> PP> ipfw routines.
>> sure
>>
>> PP> It would be *much* harder for the kernel to compare every
>> PP> packet's address against a range than it is to compare it against a netmask -
>> PP> the latter only involves a bitwise AND operator.
>>
>> I rather dont agree with that statement, but consider, we should
>> decide what *MUCH* is at any case :)
>>
>> And pay your attention, plz -- it does check port ranges absolutely
>> easy.. I don't see any big difference between ports and IP-addresses.
>> They both are represented as usual (not too big) numbers at last.
>>
>> PP> I wonder if ranges would
>> PP> be so hard to implement though; the fact is, they are not implemented at
>> PP> the moment, this would take some work, and actually, I'm not aware of any
>> PP> other firewalling system that implements ranges. I would be VERY much out
>> PP> of my bailiwick here, though, because I've not dealt with that many other
>> PP> firewalling systems, but still, I think ranges are somewhat unusual in
>> PP> firewall rules :)
>>
>> PP> G'luck,
>> PP> Peter
>>
>> --
>> Igor mailto:poige@morning.ru
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-security" in the body of the message
--
Igor mailto:poige@morning.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2410845404.20010422201848>