Suggestion regarding a new option for IPFW2
Louis A. Mamakos
louie at TransSys.COM
Fri Aug 1 12:10:11 PDT 2003
TCP resets MUST already come with the source address rewritten
otherwise it won't match up with the connection attempt on the
original host. If you look in ip_fw2.c:
/*
* Assume we are sending a RST (or a keepalive in the reverse
* direction), swap src and destination addresses and ports.
*/
ip->ip_src.s_addr = htonl(id->dst_ip);
ip->ip_dst.s_addr = htonl(id->src_ip);
tcp->th_sport = htons(id->dst_port);
tcp->th_dport = htons(id->src_port);
appears in the send_pkt() function which appears to be called to
send the reset segments.
louie
More information about the freebsd-ipfw
mailing list