Future of pf / firewall in FreeBSD ? - does it have one ?

Andreas Nilsson andrnils at gmail.com
Mon Jul 21 11:46:30 UTC 2014


On Mon, Jul 21, 2014 at 8:56 AM, <sthaug at nethelp.no> wrote:

> > > > Also, the openbsd stack has some essential features missing in
> freebsd,
> > > > like mpls and md5 auth for bgp sessions.
> > >
> > > I use MD5 auth for BGP sessions every day (and have been doing so for
> > > several releases). One could definitely wish for better integration -
> > > having to specify MD5 key both in /etc/ipsec.conf and in the Quagga
> > > bgpd config is not nice. But it works.
> > >
> > As far as I know you can only send out correctly authed stuff but not
> > validate incoming. Has that changed?
>
> Have a look at tcp_signature_verify(), called from tcp_input.c. Added
> in r221023, see
>
> http://svnweb.freebsd.org/base/head/sys/netinet/tcp_input.c?view=log
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
>
> ----------------------------------------------------------------------
>
> Revision 221023 - (view) (download) (annotate) - [select for diffs]
> Modified Mon Apr 25 17:13:40 2011 UTC (3 years, 2 months ago) by attilio
> File length: 106717 byte(s)
> Diff to previous 220560
> Add the possibility to verify MD5 hash of incoming TCP packets.
> As long as this is a costy function, even when compiled in (along with
> the option TCP_SIGNATURE), it can be disabled via the
> net.inet.tcp.signature_verify_input sysctl.
>
> Sponsored by:                       Sandvine Incorporated
> Reviewed by:                        emaste, bz
> MFC after:                          2 weeks
>
> I stand corrected. Excellent news ( for me, that is) :)

Best regards
Andeas


More information about the freebsd-questions mailing list