From owner-freebsd-hackers  Thu Jan  3  5:48:10 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mars-gw.morning.ru (ns.morning.ru [195.161.98.5])
	by hub.freebsd.org (Postfix) with ESMTP id EFFAA37B417
	for <freebsd-hackers@FreeBSD.ORG>; Thu,  3 Jan 2002 05:48:02 -0800 (PST)
Received: from NDNM ([195.161.98.250])
	by mars-gw.morning.ru (8.11.5/8.11.5) with ESMTP id g03Dls796211;
	Thu, 3 Jan 2002 20:47:55 +0700 (KRAT)
Date: Thu, 3 Jan 2002 20:51:14 +0700
From: Igor M Podlesny <poige@morning.ru>
X-Mailer: The Bat! (v1.53d) Business
Organization: Morning Network
X-Priority: 3 (Normal)
Message-ID: <154516933330.20020103205114@morning.ru>
To: "Crist J . Clark" <cristjc@earthlink.net>
Cc: cjclark@alum.mit.edu, freebsd-hackers@FreeBSD.ORG
Subject: Re[2]: /etc/rc.firewall and /sys/netinet/ip_input.c are doing the same thing
In-Reply-To: <20011226101649.A2090@blossom.cjclark.org>
References: <Pine.BSF.4.33.0112231015180.35760-100000@resnet.uoregon.edu>
 <107466819110.20011224191009@morning.ru>
 <20011225151328.A136@gohan.cjclark.org> <18957829724.20011226144634@morning.ru>
 <20011226101649.A2090@blossom.cjclark.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


Hello!

> On Wed, Dec 26, 2001 at 02:46:34PM +0700, Igor M Podlesny wrote:
>> > On Mon, Dec 24, 2001 at 07:10:09PM +0700, Igor M Podlesny wrote:
>> >> well, not all the same, but partly. Take a look:
>> > Yes. We know.
>> Well. It doesn't surprise me.
>> P.S. Is it a `feature'? ;)
>> P.P.S.  Talking seriously (as much as possible ;), which reasons don't
>> let removing of 3 lines from rc.firewall?

> The reason not to remove them is to avoid the steady stream of emails
> to -questions, -security, -ipfw, and -net

A question for FAQ, don't you agree?

>  from people unaware of the
> built-in protection from loopback addresses informing us that we
> should have rules like that by default.

And  smells  like  Windoze, no? `Dumb protection' which is really dumb
itself?

>  The rules don't hurt
> anything (just _try_ to measure a performance impact),

No,  I won't measure performance impact cause I see a much more bigger
problem  --  it  gets  into  any  custom  ruleset,  being  loaded with
rc.firewall.  Such rules `as pass ip from any to any via lo' (not even
lo*)  hurts  a  lot  when  you  use  jail(8)  in the same box! As it's
obviously  seen  almost  always  any  jailed  service network activity
should  be  treated as coming from external NIC (network) and isn't it
the  time  to  say "...It's always funny until someone gets hurt. Then
it's hilarious..."?

P.S.   Will   anybody   sometime  patch  the  jail.c  to  handle  both
IP-addresses and hostnames?

-- 
Igor M Podlesny a.k.a. Poige
http://www.morning.ru/~poige


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message