Date: Sun, 17 Feb 2002 00:50:02 -0800 (PST) From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/35022: network broadcast addresses may be used for communications with the system just as well as if it was her own. Message-ID: <200202170850.g1H8o2765480@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/35022; it has been noted by GNATS. From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Igor M Podlesny <poige@morning.ru> Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: misc/35022: network broadcast addresses may be used for communications with the system just as well as if it was her own. Date: Sun, 17 Feb 2002 00:43:14 -0800 I don't think 'me' not matching the broadcast address is in itself a problem. The example of, 'deny ip from any to me,' demonstrates why it is bad to explicitly deny. Use an explicit pass and default to deny. I also think 'me' works as advertised, Specifying me makes the rule match any IP address configured on an interface in the system. If you want to block a broadcast address in addition to the ones assigned to the interface, do so. But there was mention of another behavior that is a bug. You _can_ establish a TCP connection to a FreeBSD machine with the destination being the broadcast address. This is oh so Very Very Bad. And it breaks the Standard (the Standard being everyone's favorite, RFC1122), 4.2.3.10 Remote Address Validation ... A TCP implementation MUST silently discard an incoming SYN segment that is addressed to a broadcast or multicast address. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202170850.g1H8o2765480>