Date: Mon, 20 Jan 2003 16:59:40 -0800 From: Luigi Rizzo <rizzo@icir.org> To: "Simon L. Nielsen" <simon@nitro.dk> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Sanity check in ipfw(8) Message-ID: <20030120165940.A65713@xorpc.icir.org> In-Reply-To: <20030121004353.GF351@nitro.dk>; from simon@nitro.dk on Tue, Jan 21, 2003 at 01:43:54AM %2B0100 References: <20030121004353.GF351@nitro.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 21, 2003 at 01:43:54AM +0100, Simon L. Nielsen wrote:
...
> I recently found a problem where ipfw2 would allow the user to create
> firewall rules that does not make sense like (notice udp and setup) :
here "not make sense" means "they will never match any packet".
Now, no matter which checks you implement on a single rule, you can
still generate sequences of rules that never match any traffic. E.g.
ipfw add 100 skipto 102 ip from not 1.2.3.4 to any
# you get here with srcip = 1.2.3.4
ipfw add 101 skipto 102 ip from not 1.2.3.4 to any
rule 101 will never match. So...
> Now for the point :-)... Is it interesting to have the extra sanity
> check in ipfw(8) ? If it is I will try to make a patch that actually
No, i don't think it is useful to have extra sanity check in userland,
both for the above reason, and because these checks can be bypassed
using directly the kernel ABI.
There _are_ sanity checks in the kernel but these are only meant
to avoid crashing the box by pushing in random configurations. If
a rule matches no packets, tough -- it is not a problem of the firewall
per se and it does not cause the box to break.
cheers
luigi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030120165940.A65713>