From owner-freebsd-hackers Tue Mar 16 17:38:55 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8C4DE150A6; Tue, 16 Mar 1999 17:38:52 -0800 (PST) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.2/8.9.1) id CAA18655; Wed, 17 Mar 1999 02:37:09 +0100 (CET) (envelope-from des) To: Ruslan Ermilov Cc: dg@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: ipflow and ipfirewall References: <19990313200150.A83040@relay.ucb.crimea.ua> <199903131819.TAA29395@rt2.synx.com> <19990314162419.A10242@relay.ucb.crimea.ua> From: Dag-Erling Smorgrav Date: 17 Mar 1999 02:37:09 +0100 In-Reply-To: Ruslan Ermilov's message of "Sun, 14 Mar 1999 16:24:19 +0200" Message-ID: Lines: 19 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ruslan Ermilov writes: > On Sat, Mar 13, 1999 at 07:11:19PM +0100, Remy Nonnenmacher wrote: > > On 13 Mar, Ruslan Ermilov wrote: > > > It seems that such "fast forwardable" packets, when passed from > > > ether_input(), for example, just simply bypass all firewall checks. > > > Am I right? > > you are. > It's a big security leak... > David, was it supposed by design (that such packets bypass firewall)? The whole point with fast forwarding is shortening the data path. This includes not running packets through the firewall. This is precisely why it's an option, and is not on by default. After all, if it had no disadvantages or side effects, there'd be no reason *not* to use it, right? DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message