Subject: Re: making our tcp/ip a strong-end system
To: Luke Mewburn <lukem@goanna.cs.rmit.edu.au>
From: Stefan Grefen <grefen@hprc.tandem.com>
List: tech-net
Date: 11/13/1998 10:33:28
In message <199811122148.IAA09760@wombat.cs.rmit.edu.au> Luke Mewburn wrote:
> Todd Vierling writes:
> > Then why not just use ipf and eliminate all of the workarounds of
> > workarounds?
I did ask that one too ...
>
> What about non unicast packets?
>
No Problem,
> Given ne0 = 1.2.3.4, ne1 = 4.3.2.1, ne2 = 2.3.4.5, you'd probably need
> block in quick on ne0 from any to 4.3.2.1/32
> block in quick on ne0 from any to 2.3.4.5/32
> block in quick on ne1 from any to 1.2.3.4/32
> block in quick on ne1 from any to 2.3.4.5/32
> block in quick on ne2 from any to 1.2.3.4/32
> block in quick on ne2 from any to 4.3.2.1/32
>
> Which may be more scalable to:
> block in on ne0 from any to <thishost>
> block in on ne1 from any to <thishost>
> block in on ne2 from any to <thishost>
> pass in on ne0 from any to 1.2.3.4/32
> pass in on ne1 from any to 4.3.2.1/32
> pass in on ne2 from any to 2.3.4.5/32
> If <thishost> maps to any address of this machine.
Or simpler
block in on ne0 from any to any
block in on ne1 from any to any
block in on ne2 from any to any
pass in on ne0 from any to 1.2.3.4/netmask_of_ne0
pass in on ne1 from any to 4.3.2.1/netmask_of_ne1
pass in on ne2 from any to 2.3.4.5/netmask_of_ne2
BTW I would add (raging paranoia ...):
block out on ne0 from any to any
block out on ne1 from any to any
block out on ne2 from any to any
pass out on ne0 from 1.2.3.4/netmask_of_ne0 to any
pass out on ne1 from 4.3.2.1/netmask_of_ne1 to any
pass out on ne2 from 2.3.4.5/netmask_of_ne2 to any
block out on ne0 from any to 4.3.2.1/netmask_of_ne1
block out on ne0 from any to 2.3.4.5/netmask_of_ne2
...
The netmask stuff ensures you get the broadcasts. As there
is no other interface which would match its no problem.
I'm running this on my Internet gateway (486 100MHz NetBSD 1.2BETA)
with 4 interfaces an no problems. I do a block log and learn
a lot of interesting stuff people try ...
>
> (Darren, please correct me here if I'm wrong)
>
>
> It looks like the strongendsystem stuff is controversial enough in its
> current form that I'll have to take another look (the code needs work
> anyway). Possibly adding the ability to set the flag per interface
> would be useful.
>
> Note: in any case, this change was *not* going to be the default, and
> was only provided for people who wanted it.
As I argued before the security you get is incomplete without ipf anyway,
so why not use it here too???
Stefan
--
Stefan Grefen Tandem Computers Europe Inc.
grefen@hprc.tandem.com High Performance Research Center
--- Hacking's just another word for nothing left to kludge. ---