Date: Thu, 04 Jul 2002 10:32:14 -0400 From: "Louis A. Mamakos" <louie@TransSys.COM> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: Luigi Rizzo <rizzo@icir.org>, ipfw@FreeBSD.ORG Subject: Re: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <200207041432.g64EWE0L046700@whizzo.transsys.com> In-Reply-To: Your message of "Thu, 04 Jul 2002 14:41:57 %2B0300." <20020704114157.GC36762@sunbay.com> References: <20020704043409.A26837@iguana.icir.org> <20020704114157.GC36762@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Jul 04, 2002 at 04:34:09AM -0700, Luigi Rizzo wrote: > > Hi, > > i was looking at the implementation of ipfw rules which generate > > a feedback packet back to the source (reset, reject and unreach) > > and i realised that there is a potential problem here... > > > > Some ICMP packets generated by the host bypass the firewall, but > > TCP RST do not, so they can be blocked themselves (this is the way > > the old ipfw works, and there is code to prevent loops). > > > > I think policies should be consistent -- either all packets (including > > icmps generated by the firewal) should go through the firewall again > > (with proper countermeasures to avoid loops), or all packets generated > > by the firewall should bypass the firewall and go to the correct > > destination. > > > > So, what do we want to do ? > > > To have a sysctl knob that allows one to select the desired behavior. > Not sure about the default value. I don't know that having a knob to control all these different behaviors is necessarily a good thing. It makes it that much more difficult to debug any given set of e.g., firewall rules, when there are so many external dependencies. louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207041432.g64EWE0L046700>