Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Oct 1998 02:35:34 -0800
From:      "Jan B. Koum " <jkb@best.com>
To:        freebsd-net@FreeBSD.ORG
Subject:   Never Mind (WAS Re: tcp resets with ipfw)
Message-ID:  <19981027023534.A3619@best.com>
In-Reply-To: <19981026224146.A9124@best.com>; from Jan B. Koum  on Mon, Oct 26, 1998 at 10:41:46PM -0800
References:  <19981026224146.A9124@best.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Oct 26, 1998 at 10:41:46PM -0800, "Jan B. Koum " <jkb> wrote:
> 
> 	Hello,
> 
> 	It will really be sad when someday someone with root access to
> 	FreeBSD box does (either accidently or on purpose):
> 
> # ipfw add 1 reset tcp from any to any
> 
> 	While one might argue this is equivalent to doing "rm -rf /*",
> 	many people alias rm to rm -i. Would it make sence to have
> 	ipfw code check to make sure people don't take down the network
> 	by making a typo or some such? If so, how would we do that? I like 
> 	the way Cisco routers do:
> 
> This may severely impact network performance. Continue? [confirm]
> 
> 	But ipfw has to be non interactive (sh /etc/rc.firewall). On the
> 	other hand, maybe when someone is about to take down their network
> 	it would make sence to be interactive to make sure they know what
> 	they are doing?
> 
> 	I guess this is going all the way back to "Unix lets you do stupid
> 	things - else it wouldn't let you do smart things" or some such
> 	saying.
> 

	Ok, Never mind. I am been stupid again. *sigh*

	See, I can swear that when at one point I tried the above
	ipfw command, my whole home LAN went down. I did it from the
	system A, which only sits on the network and wasn't able to connect
	to system B from C because of RST's from system A.
	
	Now I can't do this. Odd. Now it only works with packets going
	to/from the system which has the ipfw rule in it. I think I am going
	crazy.

	Sorry for wasted bandwidth,

-- Yan

I don't have the password .... + Jan Koum 
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981027023534.A3619>