Date: Thu, 1 Mar 2001 20:28:04 -0600 From: Jonathan Lemon <jlemon@flugsvamp.com> To: itojun@iijlab.net Cc: Jonathan Lemon <jlemon@flugsvamp.com>, Nate Williams <nate@yogotech.com>, Jonathan Lemon <jlemon@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_input.c Message-ID: <20010301202804.W25974@prism.flugsvamp.com> In-Reply-To: <2585.983499093@coconut.itojun.org> References: <20010301194751.V25974@prism.flugsvamp.com> <2585.983499093@coconut.itojun.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 02, 2001 at 11:11:33AM +0900, itojun@iijlab.net wrote: > > >> the change, specifically the following part, seem to implement > >> ingress filtering. the change will choke on multihomed hosts > >> with assymmetric routing (like packets from X comes into interface A, > >> and packets to X goes out from interface B). RFC2827 has more detail > >> on it. I believe it too strong limitation. > > > >Actually, it is not source address ingress filtering as RFC2827 talks > >about, but is a security-related patch, for an upcoming security > >advisory. Multihomed hosts that are correctly set up will still work; > >if the host wants to forward packet X out through another interface, > >it is free to do so. > > sorry maybe I misread the patch. then I guess you have changed the > host model from weak to strong. if so, there are lots of other > components that needs to be changed (source address selection, routing > announcements for !IFF_UP interface routes), and i guess there will be > lots of breakages in unnumbered interface settings and other > configurations. > > i guess this is safer as default behavior. if firewalls needs > to behave as strong model-like, people are free to do so by installing > filter configurations. > http://www.kame.net/dev/cvsweb.cgi/kame/freebsd4/sys/netinet/ip_input.c.diff?r1=1.12&r2=1.13 Yes, this is a weaker approach. However, do you have any evidence that things will break with a stronger model? Note that if the host is acting as a router and forwarding between interfaces, the model reverts to the original weaker behavior. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010301202804.W25974>