Future of pf / firewall in FreeBSD ? - does it have one ?
sthaug at nethelp.no
sthaug at nethelp.no
Mon Jul 21 06:57:34 UTC 2014
> > > Also, the openbsd stack has some essential features missing in freebsd,
> > > like mpls and md5 auth for bgp sessions.
> >
> > I use MD5 auth for BGP sessions every day (and have been doing so for
> > several releases). One could definitely wish for better integration -
> > having to specify MD5 key both in /etc/ipsec.conf and in the Quagga
> > bgpd config is not nice. But it works.
> >
> As far as I know you can only send out correctly authed stuff but not
> validate incoming. Has that changed?
Have a look at tcp_signature_verify(), called from tcp_input.c. Added
in r221023, see
http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=log
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
----------------------------------------------------------------------
Revision 221023 - (view) (download) (annotate) - [select for diffs]
Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by attilio
File length: 106717 byte(s)
Diff to previous 220560
Add the possibility to verify MD5 hash of incoming TCP packets.
As long as this is a costy function, even when compiled in (along with
the option TCP_SIGNATURE), it can be disabled via the
net.inet.tcp.signature_verify_input sysctl.
Sponsored by: Sandvine Incorporated
Reviewed by: emaste, bz
MFC after: 2 weeks
More information about the freebsd-current
mailing list