Date: Fri, 04 Aug 2006 13:02:25 -0700 From: Julian Elischer <julian@elischer.org> To: Andre Oppermann <andre@freebsd.org> Cc: Gleb Smirnoff <glebius@freebsd.org>, current@freebsd.org Subject: Re: Ignore: Re: ipfw output FWD broken on 6.1 and newer? Message-ID: <44D3A7D1.2060607@elischer.org> In-Reply-To: <44D38BB5.4080009@freebsd.org> References: <44D1473F.1000204@elischer.org> <44D150D6.6010101@elischer.org> <20060804101052.GW96644@FreeBSD.org> <44D38BB5.4080009@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Andre Oppermann wrote: > Gleb Smirnoff wrote: > >> On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote: >> J> >I haven't tried 7.x yet but has anyone seen >> J> >the FWD command of ipfw running on 6.1? >> J> > >> J> >or anyone know of problems with it that may have been fixed on >> -current? >> J> J> Just found the "EXTENDED" option for ipfw fwd. >> J> J> Why we need that is wierd since it just allows it to act as it >> always J> used to and it never >> J> aused any massive problems that I know of (I committed it >> originally). >> J> personally I consider removing the option and making it default or >> J> reversing it and >> J> calling it >> J> J> IPFIREWALL_FORWARD_CRIPPLED >> >> I'm suprised that you have noticed it only now. When Andre has >> introduced >> this option that turns on a functionality that was present always >> before, >> I was quite angry but everyone ignored me. This even went to release >> notes >> as "new feature". > > > The reason I did it this way was to prevent way too easy foot shooting by > redirecting too much traffic somewhere else and killing the reachability > of the host itself of other hosts on directly connected networks. > Yes, the > two level approach has some drawbacks but also makes people much more > aware > of what they are doing by having to explicitly specify the second kernel > option. To enable ipfirewall forwarding people have to compile their own > kernel anyway, having them specify the second additional option is not > too > much of a burden. Although I agree that for experienced people it is > some > additional work to enter the two dozen characters. > Andre, I committer the original fwd code. I do not thnk that it is any more danger ous eot do this than to block yourself off with the firewall in any other way. If you don't mind I plan to remove that option and restore the original functionality as default.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D3A7D1.2060607>