From owner-freebsd-net  Tue Oct 27 00:25:27 1998
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA25125
          for freebsd-net-outgoing; Tue, 27 Oct 1998 00:25:27 -0800 (PST)
          (envelope-from owner-freebsd-net@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA25120
          for <freebsd-net@FreeBSD.ORG>; Tue, 27 Oct 1998 00:25:26 -0800 (PST)
          (envelope-from jkb@shell6.ba.best.com)
Received: (from jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id AAA22260;
	Tue, 27 Oct 1998 00:23:55 -0800 (PST)
Message-ID: <19981027002354.A21396@best.com>
Date: Tue, 27 Oct 1998 00:23:54 -0800
From: "Jan B. Koum " <jkb@best.com>
To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: tcp resets with ipfw
References: <19981026224146.A9124@best.com> <199810270608.HAA03617@labinfo.iet.unipi.it>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199810270608.HAA03617@labinfo.iet.unipi.it>; from Luigi Rizzo on Tue, Oct 27, 1998 at 07:08:36AM +0100
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Oct 27, 1998 at 07:08:36AM +0100, Luigi Rizzo <luigi@labinfo.iet.unipi.it> wrote:
> > 	Hello,
> > 
> > 	It will really be sad when someday someone with root access to
> > 	FreeBSD box does (either accidently or on purpose):
> > 
> > # ipfw add 1 reset tcp from any to any
> > 
> > 	While one might argue this is equivalent to doing "rm -rf /*",
> > 	many people alias rm to rm -i. Would it make sence to have
> > 	ipfw code check to make sure people don't take down the network
> > 	by making a typo or some such? If so, how would we do that? I like 
> > 	the way Cisco routers do:
> > 
> > This may severely impact network performance. Continue? [confirm]
> 
> because any modification to the firewall "may severely impact network
> performance" you'll have to primt message in all cases, at which point
> people will alias ipfw to avoid the message.
> The problem exists for far too many commands including
> 
> 	ifconfig XXX delete
> 
> etc.
> 
> 	cheers
> 	luigi

        I was giving an example of what Cisco IOS say when you want to
        enable all the debug possible. I don't think doing some basic
        ip filtering severely impacts the network. Or does it?

        Plus, your example takes down a system. Mine takes down the whole
        network. Imagine a hub at an ISP Colo and someone does that. *Poof*

        But you do have a point and I completely agree with you. This
        example is from "I pointed gun at my foot, pulled the trigger and
        now my foot hurts" series unfortunately. However, in this case the
        foot is not only your system, but many others which might not even
        belong to you.

-- Yan

I don't have the password .... + Jan Koum 
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message