Re: My planned work on networking stack

• Previous message: Doom Neine: "Re: umount not working"
• In reply to: Andre Oppermann: "Re: My planned work on networking stack"
• Next in thread: James: "Re: My planned work on networking stack"
• Reply: James: "Re: My planned work on networking stack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 05 Mar 2004 22:31:35 +0100
To: James <haesu@towardex.com>, freebsd-current@freebsd.org, freebsd-net@freebsd.org

Andre Oppermann wrote:
>
> > there are still other things freebsd lacks. such as uRPF that _SERVICE_PROVIDER_
> > can use. ipfw2 has verrevpath but all it does from what i know is strict uRPF
> > only. service providers like myself, if we were to use freebsd boxen to run our
> > network, i am not spending money on a router that doesn't do loose-check uRPF.
> > this sounds like something linux does too but i refuse to use that :P
>
> That is pretty easy to implement. I should have it by Friday at latest,
> depends on when exactly I find time for it.
>
> ip verify unicast source reachable-via [any|ifn]
>
> The ipfw2 command would look like this: ... versrcreach [fxp0]

Here you go:

 http://www.nrg4u.com/freebsd/ipfw_versrcreach.diff

This one implements the standard functionality, the definition of an
interface through which it has to be reachable is not (yet) supported.

Using this option only makes sense when you don't have a default route
which naturally always matches. So this is useful for machines acting
as routers with a default-free view of the entire Internet as common
when running a BGP daemon (Zebra/Quagga or OpenBSD bgpd).

One useful way of enabling it globally on a router looks like this:

 ipfw add xxxx deny ip from any to any not versrcreach

or for an individual interface only:

 ipfw add xxxx deny ip from any to any not versrcreach recv fxp0

I'd like to get some feedback (and a man page draft) before I commit it
to -CURRENT.

-- 
Andre
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

• Previous message: Doom Neine: "Re: umount not working"
• In reply to: Andre Oppermann: "Re: My planned work on networking stack"
• Next in thread: James: "Re: My planned work on networking stack"
• Reply: James: "Re: My planned work on networking stack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: My planned work on networking stack ... as routers with a default-free view of the entire Internet as common ... ipfw add ... deny ip from any to any not versrcreach recv fxp0 ... (freebsd-net) Re: My planned work on networking stack ... i'll try this sometime next week and let you know of any feedbacks i have. ... > ipfw add ... deny ip from any to any not versrcreach recv fxp0 ... (freebsd-net) Re: My planned work on networking stack ... > Andre Oppermann wrote: ... > ipfw add ... deny ip from any to any not versrcreach recv fxp0 ... (freebsd-net) Re: My planned work on networking stack ... i'll try this sometime next week and let you know of any feedbacks i have. ... > ipfw add ... deny ip from any to any not versrcreach recv fxp0 ... (freebsd-current) problem in smtp server ... FTP and the e-mail for the domain with qmail. ... All seems to work fine if i disable the ipfw... ... $cmd 00010 allow all from any to any via lo0 ... $cmd 00299 deny log all from any to any out via $pif ... (comp.unix.bsd.freebsd.misc)