Date: Thu, 3 Jan 2002 20:51:14 +0700 From: Igor M Podlesny <poige@morning.ru> To: "Crist J . Clark" <cristjc@earthlink.net> Cc: cjclark@alum.mit.edu, freebsd-hackers@FreeBSD.ORG Subject: Re[2]: /etc/rc.firewall and /sys/netinet/ip_input.c are doing the same thing Message-ID: <154516933330.20020103205114@morning.ru> In-Reply-To: <20011226101649.A2090@blossom.cjclark.org> References: <Pine.BSF.4.33.0112231015180.35760-100000@resnet.uoregon.edu> <107466819110.20011224191009@morning.ru> <20011225151328.A136@gohan.cjclark.org> <18957829724.20011226144634@morning.ru> <20011226101649.A2090@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! > On Wed, Dec 26, 2001 at 02:46:34PM +0700, Igor M Podlesny wrote: >> > On Mon, Dec 24, 2001 at 07:10:09PM +0700, Igor M Podlesny wrote: >> >> well, not all the same, but partly. Take a look: >> > Yes. We know. >> Well. It doesn't surprise me. >> P.S. Is it a `feature'? ;) >> P.P.S. Talking seriously (as much as possible ;), which reasons don't >> let removing of 3 lines from rc.firewall? > The reason not to remove them is to avoid the steady stream of emails > to -questions, -security, -ipfw, and -net A question for FAQ, don't you agree? > from people unaware of the > built-in protection from loopback addresses informing us that we > should have rules like that by default. And smells like Windoze, no? `Dumb protection' which is really dumb itself? > The rules don't hurt > anything (just _try_ to measure a performance impact), No, I won't measure performance impact cause I see a much more bigger problem -- it gets into any custom ruleset, being loaded with rc.firewall. Such rules `as pass ip from any to any via lo' (not even lo*) hurts a lot when you use jail(8) in the same box! As it's obviously seen almost always any jailed service network activity should be treated as coming from external NIC (network) and isn't it the time to say "...It's always funny until someone gets hurt. Then it's hilarious..."? P.S. Will anybody sometime patch the jail.c to handle both IP-addresses and hostnames? -- Igor M Podlesny a.k.a. Poige http://www.morning.ru/~poige To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?154516933330.20020103205114>