Date: Mon, 26 Feb 1996 12:37:51 -0600 (CST) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: tom@uniserve.com (Tom Samplonius) Cc: imb@scgt.oz.au, phk@critter.tfs.com, stable@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: -stable hangs at boot (fwd) Message-ID: <199602261837.MAA15680@brasil.moneng.mei.com> In-Reply-To: <Pine.BSF.3.91.960226091641.21606B-100000@haven.uniserve.com> from "Tom Samplonius" at Feb 26, 96 09:17:59 am
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 27 Feb 1996, michael butler wrote: > > > Poul-Henning Kamp writes: > > > > > Well, this happens to be your view. I know machines where IPFW are being > > > used to restrict what users on the machine can do, this is only possible > > > if you filter >ALL< traffic, to and from the machine. > > > > I haven't checked this but .. what happens to a packet which matches a > > "reject" rule when it's not actually destined for the machine doing the > > filtering .. does it still generate an ICMP "host unreachable" ? > > The system shouldn't be getting packets not destined for it, unless the > interface is in promiscous mode, which it not normally. Think about: "route add -net 123.45.67.0 -netmask 0xffffff00 some.firewall.router.org 1" Not all packet delivery(/routing) is passively sitting on your butt on an Ethernet waiting for an ARP request. Sometimes you have things pushed at you by other routers :-) In my opinion it would be most useful to catch things and return ICMP HOST_UNREACHABLE messages at the firewall. Your average Cisco/etc router can do it. The only thing you might need to be careful about would be broadcasts/multicasts. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/546-7968
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602261837.MAA15680>