*BSD News Article 32441

Return to BSD News archive 

Xref: sserve comp.os.386bsd.misc:2647 comp.os.386bsd.questions:11368
Path: sserve!newshost.anu.edu.au!munnari.oz.au!bunyip.cc.uq.oz.au!harbinger.cc.monash.edu.au!msuinfo!agate!howland.reston.ans.net!cs.utexas.edu!utnut!torn!uunet.ca!uunet.ca!fw.novatel.ca!sidney.novatel.ca!hpeyerl
From: hpeyerl@sidney.novatel.ca (Herb Peyerl)
Newsgroups: comp.os.386bsd.misc,comp.os.386bsd.questions
Subject: Re: FreeBSD as a firewall
Followup-To: comp.os.386bsd.misc,comp.os.386bsd.questions
Date: 6 Jul 1994 15:30:10 GMT
Organization: NovAtel Communications Ltd.
Lines: 44
Message-ID: <2veim2$2is@fw.novatel.ca>
References: <Cs9G7B.DE6@olivetti.nl>
NNTP-Posting-Host: sidney.novatel.ca
X-Newsreader: TIN [version 1.2 PL1]

Paul van der Zwan (paulz@olivetti.nl) wrote:
: Has anybody got any experience with using a 386 running FreeBSD as
: an internet-firewall behind a screening router ??

If you're going to do that; ensure that you explicitely disable
source-routes in your kernel.

Something like the following in /sys/netinet/ip_input.c should work:

(This diff is based on a NetBSD-current ip_input.c)

*** ip_input.c.dist     Wed Jul  6 09:14:42 1994
--- ip_input.c  Wed Jul  6 09:14:12 1994
***************
*** 686,691 ****
--- 686,696 ----
                 */
                case IPOPT_LSRR:
                case IPOPT_SSRR:
+ #ifdef NOSRCRT
+                       type=ICMP_UNREACH;
+                       code = ICMP_UNREACH_SRCFAIL;
+                       goto bad;
+ #endif
                        if ((off = cp[IPOPT_OFFSET]) < IPOPT_MINOFF) {
                                code = &cp[IPOPT_OFFSET] - (u_char *)ip;
                                goto bad;


Of course; you'll need to put "options NOSRCRT" in your kernel config file.

If I were going to do this; I'd probably do something a little better like
log the fact that a source-route was received and perhaps even print out the
src and dest addresses from the packet so you can see who's trying to do
what... That's left as an exercise for the reader.

I'm undecided as to whether I want to make that part of NetBSD or not. 

There are already wayyyyy too many kernel options.

--
hpeyerl@novatel.ca                           |  NovAtel Commnications Ltd.
hpeyerl@fsa.ca                               | <nothing I say matters anyway>
 "A sucking chest wound is nature's way of telling you to slow down."