Date: Sun, 17 Feb 2002 00:50:02 -0800 (PST) From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/35022: network broadcast addresses may be used for communications with the system just as well as if it was her own. Message-ID: <200202170850.g1H8o2765480@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/35022; it has been noted by GNATS.
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Igor M Podlesny <poige@morning.ru>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: misc/35022: network broadcast addresses may be used for communications with the system just as well as if it was her own.
Date: Sun, 17 Feb 2002 00:43:14 -0800
I don't think 'me' not matching the broadcast address is in itself a
problem. The example of, 'deny ip from any to me,' demonstrates why it
is bad to explicitly deny. Use an explicit pass and default to deny.
I also think 'me' works as advertised,
Specifying me makes the rule match any IP address configured on
an interface in the system.
If you want to block a broadcast address in addition to the ones
assigned to the interface, do so.
But there was mention of another behavior that is a bug. You _can_
establish a TCP connection to a FreeBSD machine with the destination
being the broadcast address. This is oh so Very Very Bad. And it
breaks the Standard (the Standard being everyone's favorite, RFC1122),
4.2.3.10 Remote Address Validation
...
A TCP implementation MUST silently discard an incoming SYN
segment that is addressed to a broadcast or multicast
address.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202170850.g1H8o2765480>