Date: Tue, 25 Jan 2000 11:34:11 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: dillon@apollo.backplane.com (Matthew Dillon) Cc: imp@village.org (Warner Losh), security@FreeBSD.ORG Subject: Re: Merged patches Message-ID: <200001251934.LAA71614@gndrsh.dnsmgr.net> In-Reply-To: <200001251733.JAA04770@apollo.backplane.com> from Matthew Dillon at "Jan 25, 2000 09:33:16 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> :this patch. I'm thinking seriously of removing the ICMP_BANDLIM > :option as an option (eg compile the code in no matter what), but > :raising the limit from 100 to 1000 or something like that so it won't > :normally impact people, but those desiring to harden their servers can > :drift the number downward. > : > :Comment? > : > :Warner > > I'd increase the default to 200, no higher. 1000 is probably too > high a rate. > > I found a bug in the patch: > > : #endif > :- if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) > :- goto drop; > :+ if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)) || > :+ IN_MULTICAST(ntohl(ip->ip_src.s_addr)) || > :+ IN_EXPERIMENTAL(ntohl(ip->ip_src.s_addr))) And yet another bugger.... you just made it impossible for anyone doing work with the EXPERIMENTAL block at 240.0.0.0/8 on FreeBSD using TCP without hacking the kernel code. Please remove the last check here. This one is best handled by ipfw or ipfilter, not by kernel policy. These are _NOT_ multicast addresses, they are simple ``reserved'' for expermintal usage! -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001251934.LAA71614>