OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ipf or ipfw (was: log with dynamic firewall rules)
From: Darren Reed (avaloncoombs.anu.edu.au)
Date: Mon Jul 31 2000 - 07:17:19 CDT

In some mail from Siobhan Patricia Lynch, sie said:
> because I'm bridging....
>
> this may just be hearsay, but evidently ipf doesn;t work with freebsd and
> bridging, I have the "firewall" on one wire into the arrowpoint.

Well, if you're doing layer 2 forwarding (i.e. bridging) then of course
layer 3 filtering (IP firewalling) is going to be a problem.

I could give you a patch to enable IP Filter to work here but I'm not
sure I want to give implicit support to that sort of "thing".

Heck, I look at it now (haven't before) and instantly see a bunch of
ways to crash FreeBSD because a bunch of sanity checks are not being
done before ip_fw_chk() is called if I can write layer 2 packets for
FreeBSD to bridge - and that's without even testing. In essence, a
bunch of code from the start of ip_input() needs do be duplicated and
hasn't. That it is needed for what you want to do (ipfw for bridging)
should speak volumes about this being the wrong way to skin this
particular cat.

Darren

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message