Date: Tue, 27 Oct 1998 00:23:54 -0800 From: "Jan B. Koum " <jkb@best.com> To: Luigi Rizzo <luigi@labinfo.iet.unipi.it> Cc: freebsd-net@FreeBSD.ORG Subject: Re: tcp resets with ipfw Message-ID: <19981027002354.A21396@best.com> In-Reply-To: <199810270608.HAA03617@labinfo.iet.unipi.it>; from Luigi Rizzo on Tue, Oct 27, 1998 at 07:08:36AM %2B0100 References: <19981026224146.A9124@best.com> <199810270608.HAA03617@labinfo.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 27, 1998 at 07:08:36AM +0100, Luigi Rizzo <luigi@labinfo.iet.unipi.it> wrote:
> > Hello,
> >
> > It will really be sad when someday someone with root access to
> > FreeBSD box does (either accidently or on purpose):
> >
> > # ipfw add 1 reset tcp from any to any
> >
> > While one might argue this is equivalent to doing "rm -rf /*",
> > many people alias rm to rm -i. Would it make sence to have
> > ipfw code check to make sure people don't take down the network
> > by making a typo or some such? If so, how would we do that? I like
> > the way Cisco routers do:
> >
> > This may severely impact network performance. Continue? [confirm]
>
> because any modification to the firewall "may severely impact network
> performance" you'll have to primt message in all cases, at which point
> people will alias ipfw to avoid the message.
> The problem exists for far too many commands including
>
> ifconfig XXX delete
>
> etc.
>
> cheers
> luigi
I was giving an example of what Cisco IOS say when you want to
enable all the debug possible. I don't think doing some basic
ip filtering severely impacts the network. Or does it?
Plus, your example takes down a system. Mine takes down the whole
network. Imagine a hub at an ISP Colo and someone does that. *Poof*
But you do have a point and I completely agree with you. This
example is from "I pointed gun at my foot, pulled the trigger and
now my foot hurts" series unfortunately. However, in this case the
foot is not only your system, but many others which might not even
belong to you.
-- Yan
I don't have the password .... + Jan Koum
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There.
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981027002354.A21396>