From owner-cvs-all@FreeBSD.ORG Sun May 9 10:47:28 2004 Return-Path: Delivered-To: cvs-all@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 680) id 3862416A4CF; Sun, 9 May 2004 10:47:28 -0700 (PDT) Date: Sun, 9 May 2004 10:47:28 -0700 From: Darren Reed To: Sam Leffler Message-ID: <20040509174728.GC96827@hub.freebsd.org> References: <200405061846.i46Ik3Jc060969@repoman.freebsd.org> <200405070755.36055.sam@errno.com> <20040508152531.GA96827@hub.freebsd.org> <200405081125.43395.sam@errno.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200405081125.43395.sam@errno.com> User-Agent: Mutt/1.4.1i cc: "Jacques A. Vidrine" cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: Andre Oppermann cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 May 2004 17:47:28 -0000 On Sat, May 08, 2004 at 11:25:43AM -0700, Sam Leffler wrote: > > I'm sensitive to the argument about duplicating functionality but I'll repeat > again I consider this change worthwhile. To require each and every system > configure a packet filter to get equivalent functionality is overkill IMO and > is the reason I agreed with the change. If this were useful only for machines > doing packet forwarding then I'd agree that it's duplicate functionality and > better handled by a packet filter that would already be present in the > system. However I expected it would be used by many/most endpoint systems > that weren't necessarily using a packet filter. Further, if you can argue > the default setting will rarely be changed then I'd agree that it's not worth > keeping, but I felt otherwise--that folks would want to change the default > setting to something else. Anyone who thinks that firewalling technology only belongs on machines that pass packets from one network to another isn't watching the industry as a whole. You've got Microsoft enhancing its built-in firewall facility, all the time, products like Zone Alarm that are immensely popular and targetted at exactly that kind of market, companies such as Sun wanting to integrate this sort of feature set is not so people can build Solaris firewalls but for host protection, and Apple including ipfw in MacOS. And that's not to forget the current evolution of firewall technology into NICs that are immune to tampering by the OS. The real issue for FreeBSD isn't the presence of firewalling options, but making them easily accessible to users and making them managable in a larger environment. Hence, I believe that the problem for FreeBSD is that even with "user friendly" input syntaxes for firewalls, the hurdle is still too high to enable basic security with them. If you can overcome that then the need for ssyctl's to block these offending packets is diminished. And hence, I'd argue that people who want this sort of protection should be using a firewall (of whatever sort), not some obscure option, elsewhere. With respect to its main intended use (fast forwarding of packets), maybe it should be called (and limited to interaction with) this: net.inet.ip.fastfwd.ignore_ipoptions Darren