From owner-freebsd-security  Tue Jul 25 17:14:43 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6])
	by hub.freebsd.org (Postfix) with ESMTP id ABFD237BCDF
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jul 2000 17:14:37 -0700 (PDT)
	(envelope-from billf@jade.chc-chimes.com)
Received: by jade.chc-chimes.com (Postfix, from userid 1001)
	id 97C641C65; Tue, 25 Jul 2000 20:14:35 -0400 (EDT)
Date: Tue, 25 Jul 2000 20:14:35 -0400
From: Bill Fumerola <billf@chimesnet.com>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Problems with natd and simple firewall
Message-ID: <20000725201435.Q51462@jade.chc-chimes.com>
References: <Pine.BSF.4.21.0007251250050.27676-100000@snafu.adept.org> <200007252128.OAA52048@gndrsh.dnsmgr.net> <20000725193941.P51462@jade.chc-chimes.com> <200007260007.UAA08510@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <200007260007.UAA08510@khavrinen.lcs.mit.edu>; from wollman@khavrinen.lcs.mit.edu on Tue, Jul 25, 2000 at 08:07:02PM -0400
X-Operating-System: FreeBSD 3.3-STABLE i386
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Jul 25, 2000 at 08:07:02PM -0400, Garrett Wollman wrote:
> <<On Tue, 25 Jul 2000 19:39:41 -0400, Bill Fumerola <billf@chimesnet.com> said:
> 
> > (short of checking the route back before allowing the packet, which is more
> > costly etc etc, cisco has something that does this).
> 
> Yep.  Great feature, and it wouldn't be at all hard to implement in
> FreeBSD (it should be pretty obvious how to add the check in
> ip_forward()).  Of course, even if you do that, you still need to
> filter out the ``bad'' addresses:

I've pretty much been consumed with the 2k lines of ip_fw.c recently
so I have a decent knowledge of how it works now (scary..), would this
be something we'd want to do within ipfw or as a seperate entity?

Is there more data (whitepapers, etc) on what the cisco products do?

-- 
Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
                billf@chimesnet.com / billf@FreeBSD.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message