On Sat, Feb 23, 2002 at 02:45:35PM +0200, Ruslan Ermilov wrote:
[snip]
> Router B: if0 (192.168.1.1/24) and if1 (192.168.4.1/24)
> Router A: if0 (192.168.1.2/24)
>
> On router A: route add -net 192.168.4 192.168.1.1, telnet 192.168.4.255.
>
> Or even simpler:
>
> Router: if0 (192.168.1.1/24 and 192.168.100.1/24)
> Host: if0 (192.168.1.2, default gateway 192.168.1.1)
Did 192.168.4.1/24 just become 192.168.100.1/24?
> On host:
>
> $ ping 192.168.100.255
> PING 192.168.100.255 (192.168.100.255): 56 data bytes
> 64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=0.245 ms
> 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.207 ms
> 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.207 ms
> ^C
> --- 192.168.100.255 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.207/0.220/0.245/0.018 ms
> $ telnet 192.168.100.255 25
> Trying 192.168.100.255...
> Connected to 192.168.100.255.
> Escape character is '^]'.
> 220 my.router.local.net ESMTP Sendmail 8.11.6/8.11.2; Sat, 23 Feb 2002 14:39:21
>+0200 (EET)
I can't reproduce this. I was only ever able to connect to the
broadcast on the local interface.
On victim "router (192.168.64.50):"
$ netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.64.254 UGSc 14 1768 dc0
127.0.0.1 127.0.0.1 UH 1 137708 lo0
172.16 link#3 UC 3 0 ep0
172.16.0.1 0:20:af:17:f:11 UHLW 0 2 lo0
192.168.64 link#1 UC 6 0 dc0
192.168.64.50 0:4:5a:40:d9:e5 UHLW 11 5310274 lo0
192.168.64.60 0:c0:f0:5a:6c:a UHLW 4 11416791 dc0 514
On attacker "host (192.168.64.60):"
$ netstat -rn -f
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.64.254 UGSc 1 0 dc0
127 127.0.0.1 UGSc 0 0 lo0
127.0.0.1 127.0.0.1 UH 1 1776 lo0
172.16 192.168.64.50 UGSc 1 4 dc0
192.168.64 link#1 UC 3 0 dc0
192.168.64.50 0:4:5a:40:d9:e5 UHLW 6 1318188 dc0 1003
Now on "host,"
$ ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1): 56 data bytes
64 bytes from 172.16.0.1: icmp_seq=0 ttl=64 time=0.518 ms
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.541 ms
^C
--- 172.16.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.518/0.530/0.541/0.011 ms
This works fine as expected with the weak-ES model. But for me,
$ ping 172.16.255.255
PING 172.16.255.255 (172.16.255.255): 56 data bytes
^C
--- 172.16.255.255 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
$ telnet 172.16.255.255
Trying 172.16.255.255...
telnet: connect to address 172.16.255.255: Operation timed out
telnet: Unable to connect to remote host
I can't reach the broadcast on the other interface. The "router" is
FreeBSD 4.5-RELEASE without any patches.
I'm not sure what I might be doing wrong.
If you are correct, and you can cross interfaces, this is a much
bigger problem. I didn't mention it in your first mail, but the
in_broadcast() function as used in the patch you sent is different
than the current implementation. in_broadacast() currently takes an
address and an interface. If you are correct, we'd have to loop
through the interface list... which makes this uglier.
--
Crist J. Clark | [EMAIL PROTECTED]
| [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/ | [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
