Date: Fri, 15 Dec 1995 09:11:15 -0700 From: Nate Williams <nate@rocky.sri.MT.net> To: "Frank ten Wolde" <franky@pinewood.nl> Cc: hackers@freebsd.org Subject: Re: Order of rules in ip_fw chain Message-ID: <199512151611.JAA16380@rocky.sri.MT.net> In-Reply-To: <9512151302.ZM27077@pwood1.pinewood.nl> References: <9512151302.ZM27077@pwood1.pinewood.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> I have three questions/suggestions for discussion on the implementation of
> the ip firewall filter in FreeBSD 2.1.0. I would like to see who shares
> my ideas or if there are sound reasons why *not* to modify the existing
> implementation...
>
> Here I go:
>
> 1) I would suggest adding the following lines of code in
> .../sys/netinet/ip_fw.c, line 879:
>
> ifdef IPFIREWALL
> int
> ip_fw_ctl(stage, m)
> int stage;
> struct mbuf *m;
> {
>
> if (securelevel >= 2) { NEW
> return (EPERM); NEW
> } NEW
Just out of curiousity, how are you adding the lines to the firewall
list *before* the machine goes multi-user? On my box, I can't simply
because the networking code isn't (yet) up and running.
> 2) I noticed that the order in which the fw checks incoming packets is
> *not* the same as the order in which the packet rules were added.
> IMHO this should be fixed. I have not had the time (yet) to have
> a look at the source myself, but will do so in the next few weeks.
Ugen was supposed to be working on this a while back. I agree that
something should be done. His work was going to allow 'priority' based
rules, which I agree would be a good thing. Either that or allow the
rules to be listed in the same order in the kernel as they are added.
But, you'd need a way to modify the list in non-secure mode, so I think
the priority based approach is probably more flexible.
Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199512151611.JAA16380>