From owner-freebsd-security  Mon Jul 31  6:24:13 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11])
	by hub.freebsd.org (Postfix) with ESMTP id 5324437BB20
	for <freebsd-security@FreeBSD.ORG>; Mon, 31 Jul 2000 06:24:05 -0700 (PDT)
	(envelope-from avalon@cairo.anu.edu.au)
Received: (from avalon@localhost)
	by cairo.anu.edu.au (8.9.3/8.9.3) id XAA29849;
	Mon, 31 Jul 2000 23:23:55 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200007311323.XAA29849@cairo.anu.edu.au>
Subject: Re: ipf or ipfw (was: log with dynamic firewall rules)
In-Reply-To: <Pine.BSO.4.21.0007310903460.21752-100000@superconductor.rush.net> from Siobhan Patricia Lynch at "Jul 31, 0 09:07:01 am"
To: trish@bsdunix.net (Siobhan Patricia Lynch)
Date: Mon, 31 Jul 2000 23:23:55 +1000 (EST)
Cc: freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL39 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Siobhan Patricia Lynch, sie said:
> unfortunately, it was put in as a stop gap. you have to remember that
> certain people were opposed to me doing ANYTHING at first, however I have
> not had a problem to date. and the traffic flowing through it is quite
> heavy.

It occurs to me that perhaps these people should have been listened to
more closely...

> noone is going to convince me that ipfw is the wrong thing for the job,
> maybe not the *best* thing, but that simply means that I would have needed
> an openbsd disk in an emergency at that particular time and had I had the
> cd's , well we wouldn;t  be having this discussion on a *freebsd* list,
> eh?

Well, had you gone the OpenBSD route you wouldn't have introduced a number
of bugs which can lead to a system doing filtering on bridged packets going
"boom".  This is the sort of careless activity that leads to security holes
being introduced - and what's worse, it could have been avoided.  Maybe the
post to bugtraq about this should list you personally as the reason to blame
if you want to claim the responsibility for it (ipfw for bridging) being
introduced.

Darren

p.s. I'm indifferent to what OS you chose, but not so to blantantly buggy
code being added to the kernel.  Nobody reviewed it either ?  SIGH!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message