Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jan 2003 16:59:40 -0800
From:      Luigi Rizzo <rizzo@icir.org>
To:        "Simon L. Nielsen" <simon@nitro.dk>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Sanity check in ipfw(8)
Message-ID:  <20030120165940.A65713@xorpc.icir.org>
In-Reply-To: <20030121004353.GF351@nitro.dk>; from simon@nitro.dk on Tue, Jan 21, 2003 at 01:43:54AM +0100
References:  <20030121004353.GF351@nitro.dk>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, Jan 21, 2003 at 01:43:54AM +0100, Simon L. Nielsen wrote:
...
> I recently found a problem where ipfw2 would allow the user to create
> firewall rules that does not make sense like (notice udp and setup) :

here "not make sense" means "they will never match any packet".
Now, no matter which checks you implement on a single rule, you can
still generate sequences of rules that never match any traffic. E.g.

        ipfw add 100 skipto 102 ip from not 1.2.3.4 to any
        # you get here with srcip = 1.2.3.4
        ipfw add 101 skipto 102 ip from not 1.2.3.4 to any

rule 101 will never match. So...

> Now for the point :-)... Is it interesting to have the extra sanity
> check in ipfw(8) ? If it is I will try to make a patch that actually

No, i don't think it is useful to have extra sanity check in userland,
both for the above reason, and because these checks can be bypassed
using directly the kernel ABI.

There _are_ sanity checks in the kernel but these are only meant
to avoid crashing the box by pushing in random configurations. If
a rule matches no packets, tough -- it is not a problem of the firewall
per se and it does not cause the box to break.

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030120165940.A65713>