From owner-freebsd-current  Mon Feb 26 10:39:32 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id KAA07005
          for current-outgoing; Mon, 26 Feb 1996 10:39:32 -0800 (PST)
Received: from brasil.moneng.mei.com (brasil.moneng.mei.com [151.186.109.160])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA06997
          Mon, 26 Feb 1996 10:39:28 -0800 (PST)
Received: (from jgreco@localhost) by brasil.moneng.mei.com (8.7.Beta.1/8.7.Beta.1) id MAA15680; Mon, 26 Feb 1996 12:37:51 -0600
From: Joe Greco <jgreco@brasil.moneng.mei.com>
Message-Id: <199602261837.MAA15680@brasil.moneng.mei.com>
Subject: Re: -stable hangs at boot (fwd)
To: tom@uniserve.com (Tom Samplonius)
Date: Mon, 26 Feb 1996 12:37:51 -0600 (CST)
Cc: imb@scgt.oz.au, phk@critter.tfs.com, stable@FreeBSD.ORG,
        current@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.91.960226091641.21606B-100000@haven.uniserve.com> from "Tom Samplonius" at Feb 26, 96 09:17:59 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-current@FreeBSD.ORG
Precedence: bulk

> On Tue, 27 Feb 1996, michael butler wrote:
> 
> > Poul-Henning Kamp writes:
> > 
> > > Well, this happens to be your view.  I know machines where IPFW are being
> > > used to restrict what users on the machine can do, this is only possible
> > > if you filter >ALL< traffic, to and from the machine.
> > 
> > I haven't checked this but .. what happens to a packet which matches a
> > "reject" rule when it's not actually destined for the machine doing the
> > filtering .. does it still generate an ICMP "host unreachable" ?
> 
>   The system shouldn't be getting packets not destined for it, unless the 
> interface is in promiscous mode, which it not normally.

Think about: 
"route add -net 123.45.67.0 -netmask 0xffffff00 some.firewall.router.org 1"

Not all packet delivery(/routing) is passively sitting on your butt on an
Ethernet waiting for an ARP request.  Sometimes you have things pushed
at you by other routers  :-)

In my opinion it would be most useful to catch things and return ICMP
HOST_UNREACHABLE messages at the firewall.  Your average Cisco/etc router
can do it.  The only thing you might need to be careful about would be
broadcasts/multicasts.

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/546-7968