From owner-freebsd-current  Wed Mar 27 10:05:52 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id KAA14250
          for current-outgoing; Wed, 27 Mar 1996 10:05:52 -0800 (PST)
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA14245
          for <freebsd-current@freebsd.org>; Wed, 27 Mar 1996 10:05:45 -0800 (PST)
Received: from cantina.clinet.fi (root@cantina.clinet.fi [194.100.0.15]) by hauki.clinet.fi (8.7.3/8.6.4) with ESMTP id UAA11426; Wed, 27 Mar 1996 20:05:25 +0200 (EET)
Received: (hsu@localhost) by cantina.clinet.fi (8.7.3/8.6.4) id UAA08738; Wed, 27 Mar 1996 20:05:24 +0200 (EET)
Date: Wed, 27 Mar 1996 20:05:24 +0200 (EET)
Message-Id: <199603271805.UAA08738@cantina.clinet.fi>
From: Heikki Suonsivu <hsu@clinet.fi>
To: Eric Chet <ec0@s1.GANet.NET>
Cc: freebsd-current@freebsd.org
In-reply-to: Eric Chet's message of 25 Mar 1996 17:06:10 +0200
Subject: Re: 2.2-960323-SNAP: ipfw problem
Organization: Clinet Ltd, Espoo, Finland
References: <Pine.SOL.3.91.960325095339.14170A-100000@s1>
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


From: Eric Chet <ec0@s1.GANet.NET>
	   The latest implementation of ipfw is to block everything if your
   list is empty.  It makes sense, you put a firewall in place but you did
   not tell it which ip's to not firewall.

This should have been a new config option or the name should have been
changed.  I have had ipfw in kernel on all my routers so that when I need
to, I could block out links which were flooding or otherwise broken (named
loops, for example).  This has been a very useful feature in the past.  I
was very lucky to try this out on a machine which was sitting in our
computer room, not one of our remote machines.

This is similar, though much more dangerous change compared to removing
GATEWAY option completely.  Since GATEWAY change I have at least 4 times
managed to generate a 15 minute routing break when upgrading a remote
router by copying a new kernel over, wondering what went wrong, realizing
it, logging into the router and adding sysctl to netstart (some of these
things are really old, as I try to avoid upgrading things which work).
Now, GATEWAY is a case where I *can* still log in the machine.  Guess what
happens when someone who does not know about ipfw "improvement", or forgets
about it, and installs a new kernel and reboots a remote router, which
happens to be at the other side of the town :-(

This kind of changes should always be done carefully.  Quick change without
thinking may mean hundreds of people falling in a nasty trap.

-- 
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-0-4375360 fax -4555276 home -8031121