From owner-freebsd-hackers  Fri Dec 15 08:09:03 1995
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id IAA00172
          for hackers-outgoing; Fri, 15 Dec 1995 08:09:03 -0800 (PST)
Received: from rocky.sri.MT.net (rocky.sri.MT.net [204.182.243.10])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA00165
          for <hackers@freebsd.org>; Fri, 15 Dec 1995 08:08:59 -0800 (PST)
Received: (from nate@localhost) by rocky.sri.MT.net (8.6.12/8.6.12) id JAA16380; Fri, 15 Dec 1995 09:11:15 -0700
Date: Fri, 15 Dec 1995 09:11:15 -0700
From: Nate Williams <nate@rocky.sri.MT.net>
Message-Id: <199512151611.JAA16380@rocky.sri.MT.net>
To: "Frank ten Wolde" <franky@pinewood.nl>
Cc: hackers@freebsd.org
Subject: Re: Order of rules in ip_fw chain
In-Reply-To: <9512151302.ZM27077@pwood1.pinewood.nl>
References: <9512151302.ZM27077@pwood1.pinewood.nl>
Sender: owner-hackers@freebsd.org
Precedence: bulk

> I have three questions/suggestions for discussion on the implementation of
> the ip firewall filter in FreeBSD 2.1.0.  I would like to see who shares
> my ideas or if there are sound reasons why *not* to modify the existing
> implementation...
> 
> Here I go:
> 
> 1) I would suggest adding the following lines of code in 
>    .../sys/netinet/ip_fw.c, line 879:
> 
> 	ifdef IPFIREWALL 
> 	int
> 	ip_fw_ctl(stage, m)
> 	    int stage;
> 	    struct mbuf *m; 
> 	{
>   
> 	    if (securelevel >= 2) {			NEW
> 	        return (EPERM);				NEW
> 	    }   					NEW

Just out of curiousity, how are you adding the lines to the firewall
list *before* the machine goes multi-user?  On my box, I can't simply
because the networking code isn't (yet) up and running.

> 2) I noticed that the order in which the fw checks incoming packets is
>    *not* the same as the order in which the packet rules were added.
>    IMHO this should be fixed.  I have not had the time (yet) to have
>    a look at the source myself, but will do so in the next few weeks.

Ugen was supposed to be working on this a while back.  I agree that
something should be done.  His work was going to allow 'priority' based
rules, which I agree would be a good thing.  Either that or allow the
rules to be listed in the same order in the kernel as they are added.
But, you'd need a way to modify the list in non-secure mode, so I think
the priority based approach is probably more flexible.



Nate