From owner-freebsd-ipfw Thu Jul 4 4:34:14 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 653D637B40D for ; Thu, 4 Jul 2002 04:34:10 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 157A243E09 for ; Thu, 4 Jul 2002 04:34:10 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g64BY9l26905; Thu, 4 Jul 2002 04:34:09 -0700 (PDT) (envelope-from rizzo) Date: Thu, 4 Jul 2002 04:34:09 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: RFC: inconsistent behaviour on packets generated by the firewall Message-ID: <20020704043409.A26837@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, i was looking at the implementation of ipfw rules which generate a feedback packet back to the source (reset, reject and unreach) and i realised that there is a potential problem here... Some ICMP packets generated by the host bypass the firewall, but TCP RST do not, so they can be blocked themselves (this is the way the old ipfw works, and there is code to prevent loops). I think policies should be consistent -- either all packets (including icmps generated by the firewal) should go through the firewall again (with proper countermeasures to avoid loops), or all packets generated by the firewall should bypass the firewall and go to the correct destination. So, what do we want to do ? cheers luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message