From owner-freebsd-security  Wed Jul 29 11:09:58 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA18033
          for freebsd-security-outgoing; Wed, 29 Jul 1998 11:09:58 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA17951
          for <security@freebsd.org>; Wed, 29 Jul 1998 11:09:31 -0700 (PDT)
          (envelope-from sthaug@nethelp.no)
From: sthaug@nethelp.no
Received: (qmail 2985 invoked by uid 1001); 29 Jul 1998 18:08:54 +0000 (GMT)
To: benedikt@devnull.ruhr.de
Cc: marcs@znep.com, ben@rosengart.com, security@FreeBSD.ORG
Subject: Re: inetd enhancements (fwd)
In-Reply-To: Your message of "28 Jul 1998 15:34:36 +0200"
References: <87af5um74j.fsf@devnull.ruhr.de>
X-Mailer: Mew version 1.05+ on Emacs 19.34.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Date: Wed, 29 Jul 1998 20:08:54 +0200
Message-ID: <2983.901735734@verdi.nethelp.no>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > If your box is setup *not* to route (net.inet.ip.forwarding = 0), I can
> > certainly see security advantages in not allowing packets to be accepted
> > unless they have destination address equal to the interface address. I
> > have seen a patch for this floating around on the net, but it would be
> > nice to have this configurable.
> 
> I'd use a packet filter for that, something like

Certainly you can do that - but it seems like a rather heavyweight
method of solving this particular problem. I'd like to have something
that could be twiddled with sysctl myself.

> Making this the default behaviour will break a variety of things in
> connection with multihomed hosts that have interfaces in multiple
> networks (like for performance issues) but leave the actual routing
> business to some active network component.

Agreed - that why I'd like to be able to turn this behavior off and
on.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message