Date: Thu, 4 Jul 2002 04:34:09 -0700 From: Luigi Rizzo <rizzo@icir.org> To: ipfw@freebsd.org Subject: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020704043409.A26837@iguana.icir.org>
next in thread | raw e-mail | index | archive | help
Hi,
i was looking at the implementation of ipfw rules which generate
a feedback packet back to the source (reset, reject and unreach)
and i realised that there is a potential problem here...
Some ICMP packets generated by the host bypass the firewall, but
TCP RST do not, so they can be blocked themselves (this is the way
the old ipfw works, and there is code to prevent loops).
I think policies should be consistent -- either all packets (including
icmps generated by the firewal) should go through the firewall again
(with proper countermeasures to avoid loops), or all packets generated
by the firewall should bypass the firewall and go to the correct
destination.
So, what do we want to do ?
cheers
luigi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020704043409.A26837>