From owner-freebsd-hackers Sun Mar 14 6:37: 2 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id D73AC14F20 for ; Sun, 14 Mar 1999 06:36:58 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 3443 invoked by uid 1001); 14 Mar 1999 14:36:39 +0000 (GMT) To: ru@ucb.crimea.ua Cc: dg@freebsd.org, hackers@freebsd.org Subject: Re: ipflow and ipfirewall From: sthaug@nethelp.no In-Reply-To: Your message of "Sun, 14 Mar 1999 16:24:19 +0200" References: <19990314162419.A10242@relay.ucb.crimea.ua> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 14 Mar 1999 15:36:38 +0100 Message-ID: <3441.921422198@verdi.nethelp.no> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > It seems that such "fast forwardable" packets, when passed from > > > ether_input(), for example, just simply bypass all firewall checks. > > > > > > Am I right? > > > > > > > you are. > > > > It's a big security leak... > David, was it supposed by design (that such packets bypass firewall)? The way I see it, "fast forward" would be for router boxes at the core of your network. Here you're concerned about speed. Firewall filtering you normally want to do at the edges, where you're not so concerned about speed. Personally, I think it's a sensible tradeoff. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message