From owner-freebsd-stable  Mon Feb  4 17:48:55 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from snipe.prod.itd.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62])
	by hub.freebsd.org (Postfix) with ESMTP
	id 73AF137B421; Mon,  4 Feb 2002 17:48:50 -0800 (PST)
Received: from user-2ivfo39.dialup.mindspring.com ([165.247.224.105] helo=gohan.cjclark.org)
	by snipe.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16Xuiw-0007OB-00; Mon, 04 Feb 2002 17:48:44 -0800
Received: (from cjc@localhost)
	by gohan.cjclark.org (8.11.6/8.11.6) id g151cPq05160;
	Mon, 4 Feb 2002 17:38:25 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 4 Feb 2002 17:38:25 -0800
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Matthew Whelan <muttley@gotadsl.co.uk>
Cc: "Jacques A. Vidrine" <n@nectar.cc>,
	Ruslan Ermilov <ru@FreeBSD.ORG>, Mike Tancsa <mike@sentex.net>,
	stable@FreeBSD.ORG, Warner Losh <imp@FreeBSD.ORG>
Subject: Re: dropping 127.* on the floor
Message-ID: <20020204173825.H3722@gohan.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <5.1.0.14.0.20020204092437.050e66e0@marble.sentex.ca> <KZWJE3VPJ5651WYXA7E0IH3ZLFOLI.3c5f1fce@VicNBob>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <KZWJE3VPJ5651WYXA7E0IH3ZLFOLI.3c5f1fce@VicNBob>; from muttley@gotadsl.co.uk on Mon, Feb 04, 2002 at 11:57:02PM -0000
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Mon, Feb 04, 2002 at 11:57:02PM -0000, Matthew Whelan wrote:
> 04/02/2002 14:29:08, Mike Tancsa <mike@sentex.net> wrote:
> 
> >What if this were dealt as part of firewall rules ?  i.e. GENERIC was built 
> >by default with IPFIREWALL and firewall_enable="YES" and 
> >firewall_type="OPEN" were set. That way the behavior that people have come 
> >to rely on is still there for those that need it.
> 
> Well, some way of forcing a strong endpoint model would definitely be nice. 

  net.inet.ip.check_interface=1

> Aren't the problems with trying to do it in ipfw/ipf effectively the same as 
> with ip_output.c though (namely that the destination address has been re-
> written before inspection)?

There is a long discussion of this on cvs-all@ too.

I think the current leaning is to take out the hardcoded block out
(the recent change) and instead get the ifconfig(8) of lo0 to actually
route things correctly. As for the old incoming block (almost a year
ago), we may add a sysctl(8) to disable it, but it will still be on by
default.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message