From owner-freebsd-security Fri Jan 21 9:41:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (Postfix) with ESMTP id EFB22154EC for ; Fri, 21 Jan 2000 09:41:44 -0800 (PST) (envelope-from brett@lariat.org) Received: from workhorse (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2]) by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id KAA21080; Fri, 21 Jan 2000 10:41:27 -0700 (MST) Message-Id: <4.2.2.20000121103732.01a619a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Fri, 21 Jan 2000 10:41:23 -0700 To: David G Andersen From: Brett Glass Subject: Re: stream.c workaround clarification Cc: rbezuide@oskar.dev.nanoteq.co.za (Reinier Bezuidenhout), robinson@netrinsics.com (Michael Robinson), freebsd-security@FreeBSD.ORG In-Reply-To: <200001211643.JAA02231@faith.cs.utah.edu> References: <4.2.2.20000121093753.01a51ba0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:43 AM 1/21/2000 , David G Andersen wrote: >Lo and behold, Brett Glass once said: > > > No, IPFW can't do it without assistance from another program, > > which has not yet been written. > > And which I'd wager you won't want to do. The overhead of pushing the >acks into usermode will clobber you just as badly. The ring transition would take time, but the even bigger hit would be maintaining session tables. That work is redundant, because the kernel has to do it too. The programming effort is better spent on the kernel, unless you're firewalling downstream machines. In which case, it'd be better to modify IPFW's kernel code or use IPFilter. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message