Date: Mon, 31 Jul 2000 09:07:01 -0400 (EDT) From: Siobhan Patricia Lynch <trish@bsdunix.net> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipf or ipfw (was: log with dynamic firewall rules) Message-ID: <Pine.BSO.4.21.0007310903460.21752-100000@superconductor.rush.net> In-Reply-To: <200007311217.WAA24806@cairo.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
unfortunately, it was put in as a stop gap. you have to remember that certain people were opposed to me doing ANYTHING at first, however I have not had a problem to date. and the traffic flowing through it is quite heavy. noone is going to convince me that ipfw is the wrong thing for the job, maybe not the *best* thing, but that simply means that I would have needed an openbsd disk in an emergency at that particular time and had I had the cd's , well we wouldn;t be having this discussion on a *freebsd* list, eh? -Trish __ Trish Lynch FreeBSD - The Power to Serve trish@bsdunix.net Rush Networking trish@rush.net On Mon, 31 Jul 2000, Darren Reed wrote: > In some mail from Siobhan Patricia Lynch, sie said: > > because I'm bridging.... > > > > this may just be hearsay, but evidently ipf doesn;t work with freebsd and > > bridging, I have the "firewall" on one wire into the arrowpoint. > > Well, if you're doing layer 2 forwarding (i.e. bridging) then of course > layer 3 filtering (IP firewalling) is going to be a problem. > > I could give you a patch to enable IP Filter to work here but I'm not > sure I want to give implicit support to that sort of "thing". > > Heck, I look at it now (haven't before) and instantly see a bunch of > ways to crash FreeBSD because a bunch of sanity checks are not being > done before ip_fw_chk() is called if I can write layer 2 packets for > FreeBSD to bridge - and that's without even testing. In essence, a > bunch of code from the start of ip_input() needs do be duplicated and > hasn't. That it is needed for what you want to do (ipfw for bridging) > should speak volumes about this being the wrong way to skin this > particular cat. > > Darren > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSO.4.21.0007310903460.21752-100000>