tech-net: Re: making our tcp/ip a strong-end system

Subject: Re: making our tcp/ip a strong-end system
To: Luke Mewburn <lukem@goanna.cs.rmit.edu.au>
From: Stefan Grefen <grefen@hprc.tandem.com>
List: tech-net
Date: 11/13/1998 10:33:28
In message <199811122148.IAA09760@wombat.cs.rmit.edu.au>  Luke Mewburn wrote:
> Todd Vierling writes:
> > Then why not just use ipf and eliminate all of the workarounds of
> > workarounds?

I did ask that one too ...

> 
> What about non unicast packets?
> 

No Problem,

> Given ne0 = 1.2.3.4, ne1 = 4.3.2.1, ne2 = 2.3.4.5, you'd probably need
> 	block in quick on ne0 from any to 4.3.2.1/32
> 	block in quick on ne0 from any to 2.3.4.5/32
> 	block in quick on ne1 from any to 1.2.3.4/32
> 	block in quick on ne1 from any to 2.3.4.5/32
> 	block in quick on ne2 from any to 1.2.3.4/32
> 	block in quick on ne2 from any to 4.3.2.1/32
> 
> Which may be more scalable to:
> 	block in on ne0 from any to <thishost>
> 	block in on ne1 from any to <thishost>
> 	block in on ne2 from any to <thishost>
> 	pass in on ne0 from any to 1.2.3.4/32
> 	pass in on ne1 from any to 4.3.2.1/32
> 	pass in on ne2 from any to 2.3.4.5/32
> If <thishost> maps to any address of this machine.

Or simpler
	block in on ne0 from any to any
	block in on ne1 from any to any
	block in on ne2 from any to any
	pass in on ne0 from any to 1.2.3.4/netmask_of_ne0
	pass in on ne1 from any to 4.3.2.1/netmask_of_ne1
	pass in on ne2 from any to 2.3.4.5/netmask_of_ne2
BTW I would add (raging paranoia ...):
	block out on ne0 from any to any
	block out on ne1 from any to any
	block out on ne2 from any to any
	pass out on ne0 from 1.2.3.4/netmask_of_ne0 to any
	pass out on ne1 from 4.3.2.1/netmask_of_ne1 to any
	pass out on ne2 from 2.3.4.5/netmask_of_ne2 to any
	block out on ne0 from any to 4.3.2.1/netmask_of_ne1
	block out on ne0 from any to 2.3.4.5/netmask_of_ne2
	...

The netmask stuff ensures you get the broadcasts. As there
is no other interface which would match its no problem.
I'm running this on my Internet gateway (486 100MHz NetBSD 1.2BETA)
with 4 interfaces an no problems. I do a block log and learn
a lot of interesting stuff people try ...

> 
> (Darren, please correct me here if I'm wrong)
> 
> 
> It looks like the strongendsystem stuff is controversial enough in its
> current form that I'll have to take another look (the code needs work
> anyway). Possibly adding the ability to set the flag per interface
> would be useful.
> 
> Note: in any case, this change was *not* going to be the default, and
> was only provided for people who wanted it.

As I argued before the security you get is incomplete without ipf anyway,
so why not use it here too???

Stefan

--
Stefan Grefen                                Tandem Computers Europe Inc.
grefen@hprc.tandem.com                       High Performance Research Center
 --- Hacking's just another word for nothing left to kludge. ---