Date: 17 Mar 1999 02:37:09 +0100 From: Dag-Erling Smorgrav <des@flood.ping.uio.no> To: Ruslan Ermilov <ru@ucb.crimea.ua> Cc: dg@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: ipflow and ipfirewall Message-ID: <xzp90cwlwvu.fsf@flood.ping.uio.no> In-Reply-To: Ruslan Ermilov's message of "Sun, 14 Mar 1999 16:24:19 %2B0200" References: <19990313200150.A83040@relay.ucb.crimea.ua> <199903131819.TAA29395@rt2.synx.com> <19990314162419.A10242@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Ruslan Ermilov <ru@ucb.crimea.ua> writes: > On Sat, Mar 13, 1999 at 07:11:19PM +0100, Remy Nonnenmacher wrote: > > On 13 Mar, Ruslan Ermilov wrote: > > > It seems that such "fast forwardable" packets, when passed from > > > ether_input(), for example, just simply bypass all firewall checks. > > > Am I right? > > you are. > It's a big security leak... > David, was it supposed by design (that such packets bypass firewall)? The whole point with fast forwarding is shortening the data path. This includes not running packets through the firewall. This is precisely why it's an option, and is not on by default. After all, if it had no disadvantages or side effects, there'd be no reason *not* to use it, right? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp90cwlwvu.fsf>