Date: Wed, 10 May 2000 04:10:06 -0700 (PDT) From: Ruslan Ermilov <ru@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: bin/18354: NATD diverts DMZ packets to firewall host Message-ID: <200005101110.EAA50994@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/18354; it has been noted by GNATS. From: Ruslan Ermilov <ru@FreeBSD.org> To: Charles Mott <cmott@scientech.com> Cc: Brian Somers <brian@Awfulhak.org>, goran.lowkrantz@infologigruppen.se, freebsd-gnats-submit@FreeBSD.org, Eivind Eklund <perhaps@yes.no>, Ari Suutari <ari@suutari.iki.fi> Subject: Re: bin/18354: NATD diverts DMZ packets to firewall host Date: Wed, 10 May 2000 13:57:51 +0300 On Wed, May 10, 2000 at 12:38:36AM -0600, Charles Mott wrote: > > We decided to ask about the original intentions and decide what to do > > based on the outcome, but haven't received a reply from Charles (cc'd > > as a gentle poke) yet. > > The original intention was that libalias would be cognizant > of certain protocols (tcp, udp, icmp to start out with) and > not alter or drop any other protocols. My opinion at the time > was that ipfw rules should deal with other protocols. > > However, it appears that libalias is being generalized to > handle arbitrary protocols, and my original thinking may no > longer be appropriate. > > My suggestion is that incoming packets for arbitrary > protocols (and not associated with an static redirect rules > or dynamic associations) be dropped if the PKT_ALIAS_DENY_INCOMING > bit is set. > The question here is what to do if PKT_ALIAS_DENY_INCOMING is NOT SET! My opinion is that it should not be altered by libalias(3) at all. As of current, it is redirected (by default) to aliasAddress. As of PKT_ALIAS_DENY_INCOMING, is honored for TCP/UDP and generic proto packets. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005101110.EAA50994>