Date: Sat, 22 Jan 2000 18:14:29 +0200 From: Giorgos Keramidas <charon@hades.hell.gr> To: Warner Losh <imp@village.org> Cc: Don Lewis <gdonl@tsc.tdk.com>, security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths Message-ID: <20000122181429.A30060@hades.hell.gr> In-Reply-To: <200001220609.XAA18444@harmony.village.org> References: <200001220551.VAA15775@salsa.gv.tsc.tdk.com> <200001220609.XAA18444@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 21, 2000 at 11:09:39PM -0700, Warner Losh wrote:
> In message <200001220551.VAA15775@salsa.gv.tsc.tdk.com> Don Lewis writes:
> : (b) still needs to be generalized to cover other paths that generate
> : RST packets.
>
> I think that the discarding of multi-cast packets is one of those
> can't hurt sorts of things.
Yup, it didn't hurt me at all when I used the ipfilter rules shown below
all day today. I didn't try stream'ing my machines but I suspect these
rules will stay with me until I know the kernel does the same thing by
default:
pass in on ppp0 head 100
block in proto tcp from 224.0.0.0/4 to any group 100
block out proto tcp from any to 224.0.0.0/4
--
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
"Don't let your schooling interfere with your education." [Mark Twain]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000122181429.A30060>