Date: Mon, 18 Dec 1995 17:52:38 +0100 From: "Frank ten Wolde" <franky@pinewood.nl> To: gpalmer@westhill.cdrom.com Cc: hackers@freebsd.org Subject: Re: Order of rules in ip_fw chain Message-ID: <9512181752.ZM8128@pwood1.pinewood.nl> In-Reply-To: gpalmer@westhill.cdrom.com "Re: Order of rules in ip_fw chain" (Dec 15, 15:28) References: <15305.819070126@westhill.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 15, 15:28, gpalmer@westhill.cdrom.com wrote:
> Subject: Re: Order of rules in ip_fw chain
> "Frank ten Wolde" wrote in message ID
> <9512151302.ZM27077@pwood1.pinewood.nl>:
> > 1) I would suggest adding the following lines of code in
> > .../sys/netinet/ip_fw.c, line 879:
> >
> > ifdef IPFIREWALL
> > int
> > ip_fw_ctl(stage, m)
> > int stage;
> > struct mbuf *m;
> > {
> >
> > if (securelevel >= 2) { NEW
> > return (EPERM); NEW
> > } NEW
> > if (stage == IP_FW_FLUSH) {
> > free_fw_chain(&ip_fw_chain);
> > return (0);
> > }
> > ...
>
> > This would prevent any changes in the fw chain when running in
> > very secure level.
>
> Nice idea, but running at secure levels >>0 is not something I want to
> look at yet. If nothing else, the only reason I would do it would be
> to set the sappend flag on the log files to prevent people tinkering
> with them, but how would you rotate them? :-( Taking the machine
> offline is NOT an option.
>
Please explain. What exactly do you mean by '...is not something I want
to look at yet.'? Do you mean it's not tested? My firewall runs at
securelevel 2. My log files are *not* on the firewall, but on some
internal host in my secure net.
I have simmutable'd most of my binaries and the /kernel file.
Running securelevel 2 give me a feeling of some degree of extra security
(of course I keep md5 checksum listings to check the integrity of my
binaries once in a while as well).
> > 2) I noticed that the order in which the fw checks incoming packets is
> > *not* the same as the order in which the packet rules were added.
>
> This is documented, and I have to agree with the authors idea that
> most people do NOT know what they are doing when playing with the
> firewall stuff and need some handholding. He does agree with me,
> however, that we need an ``I know what I'm doing'' flag which inserts
> the rules into the chain in the order they are submitted.
>
I only found a reference in ipfw(8), but it did not explain the reason
behind this 'rule weighting system'. Is it considered a bug? (It's in
the BUGS section.)
Are you referring to further documentation? I'm curious to learn more
about it -- and it's purpose.
About this 'automatic reshuffling of rules', I favor the standpoint of
Bill Cheswick that the order of rules should be left to the administrator
and should be applied in the order that they are entered (at least this
is how I interpreted his statements in 'Building Internet Firewalls'.
You could optionally write an *external* command to do 'intelligent'
re-ordering of rules (like a rule-compiler) before they are fed into
the kernel -- thouhg I'd be very paranoia to use such a tool blindly.
Anyway -- this discussion belongs in some other list.
Thanks,
-Frank
--
----------------------------------------------------------------------
F.W. ten Wolde (PA3FMT) Pinewood Automation B.V.
E-mail: franky@pinewood.nl Kluyverweg 2a
Phone: +31-15 2682543 2629 HT Delft
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9512181752.ZM8128>