Hello!
I'd like to know your opinion about this patch http://www.morning.ru/~poige/patchzone/ingressfiltering.patch which is mine attempt to implement an ingress filter being inspired by RFC2827 "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing". (http://www.ietf.org/rfc/rfc2827.txt) It should be mentioned IMHO that this code makes another one in ip_input.c a kind of redundant -- I mean code checking/blocking the 127/8 network "on wire". BTW, I suggest if not removing it completely then adding (sys)logging into, -- 127/8-spoofing certainly should be logged. :) Another thing to pay an attention to: I deem it'd be better if a such filter was built-in into ip_fw.c, allowing such syntax for ipfw(8): deny log ip from any to any in via fxp0 spoofed But AFAIS in ip_fw.h: #define IP_FW_F_IN 0x00000100 ... #define IP_FW_F_DME 0x40000000 /* destination = me */ #define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ and u_int32_t fw_flg; there is no free space for any additional flags... So, I was a bit unsure whether should I expand fw_flg to u_int64_t, and do any other extensions. For now I decided just to wrote something like a draft, test it (it seems to be working ;), and asking you, people, for your comments/ideas on it. P.S. A bit more info on this patch is at http://www.morning.ru/~poige/patchzone/ -- Igor M Podlesny a.k.a. Poige http://WwW.MorninG.RU/~poige To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
