From owner-freebsd-net  Thu Sep 19  1: 7:19 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9943337B401; Thu, 19 Sep 2002 01:07:17 -0700 (PDT)
Received: from ady.warpnet.ro (ady.warpnet.ro [217.156.25.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 89CC743E75; Thu, 19 Sep 2002 01:07:15 -0700 (PDT)
	(envelope-from ady@freebsd.ady.ro)
Received: from localhost (ady@localhost)
	by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id LAA85948;
	Thu, 19 Sep 2002 11:07:08 +0300 (EEST)
	(envelope-from ady@freebsd.ady.ro)
Date: Thu, 19 Sep 2002 11:07:07 +0300 (EEST)
From: Adrian Penisoara <ady@freebsd.ady.ro>
X-Sender: ady@ady.warpnet.ro
To: freebsd-net@freebsd.org
Cc: freebsd-hackers@freebsd.org
Subject: Desired feature: ipfw pass for routed IPs
Message-ID: <Pine.BSF.4.10.10209191054220.82837-100000@ady.warpnet.ro>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hi,

  When building anti-spoofing firewall rules on a routing server it
would be very helpfull to have a way to tell ipfw (or other firewalling
mechanisms) to pass all pachets that the source or destination IP has a
valid (static/daemon) routing entry in the kernel.

  Something maybe like:

    ipfw add allow ip from any to any routed static via xl0
    ipfw add deny ip from any to any via xl0

  The 'routed' keyword should accept route associated flags (like those
listed in route(8)). That would be a desired feature too, because some
routing daemons mark their routes in a different way (for example Zebra
brings up the RTF_PROTO1 flag on its routes).

  It's been said that iproute2 in the recent Linux kernels alreay
support this, but I haven't checked out closely.

  How hard would that be to implement ?

 Thank you,
 Adrian Penisoara
 Ady (@freebsd.ady.ro)
____________________________________________________________________
| An age is called Dark not because the light fails to shine, but  |
| because people refuse to see it.                                 |
|               -- James Michener, "Space"                         |


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message