Date: Wed, 17 Mar 1999 09:45:30 +0200 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Dag-Erling Smorgrav <des@flood.ping.uio.no> Cc: dg@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: ipflow and ipfirewall Message-ID: <19990317094530.A91937@relay.ucb.crimea.ua> In-Reply-To: <xzp90cwlwvu.fsf@flood.ping.uio.no>; from Dag-Erling Smorgrav on Wed, Mar 17, 1999 at 02:37:09AM %2B0100 References: <19990313200150.A83040@relay.ucb.crimea.ua> <199903131819.TAA29395@rt2.synx.com> <19990314162419.A10242@relay.ucb.crimea.ua> <xzp90cwlwvu.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 17, 1999 at 02:37:09AM +0100, Dag-Erling Smorgrav wrote: > Ruslan Ermilov <ru@ucb.crimea.ua> writes: > > On Sat, Mar 13, 1999 at 07:11:19PM +0100, Remy Nonnenmacher wrote: > > > On 13 Mar, Ruslan Ermilov wrote: > > > > It seems that such "fast forwardable" packets, when passed from > > > > ether_input(), for example, just simply bypass all firewall checks. > > > > Am I right? > > > you are. > > It's a big security leak... > > David, was it supposed by design (that such packets bypass firewall)? > > The whole point with fast forwarding is shortening the data path. This > includes not running packets through the firewall. This is precisely > why it's an option, and is not on by default. After all, if it had no > disadvantages or side effects, there'd be no reason *not* to use it, > right? > Agreed. One thing I thought of. Why it is not documented anywhere? -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990317094530.A91937>