Date: Wed, 27 Mar 1996 20:05:24 +0200 (EET) From: Heikki Suonsivu <hsu@clinet.fi> To: Eric Chet <ec0@s1.GANet.NET> Cc: freebsd-current@freebsd.org Subject: Re: 2.2-960323-SNAP: ipfw problem Message-ID: <199603271805.UAA08738@cantina.clinet.fi> In-Reply-To: Eric Chet's message of 25 Mar 1996 17:06:10 %2B0200 References: <Pine.SOL.3.91.960325095339.14170A-100000@s1>
next in thread | previous in thread | raw e-mail | index | archive | help
From: Eric Chet <ec0@s1.GANet.NET>
The latest implementation of ipfw is to block everything if your
list is empty. It makes sense, you put a firewall in place but you did
not tell it which ip's to not firewall.
This should have been a new config option or the name should have been
changed. I have had ipfw in kernel on all my routers so that when I need
to, I could block out links which were flooding or otherwise broken (named
loops, for example). This has been a very useful feature in the past. I
was very lucky to try this out on a machine which was sitting in our
computer room, not one of our remote machines.
This is similar, though much more dangerous change compared to removing
GATEWAY option completely. Since GATEWAY change I have at least 4 times
managed to generate a 15 minute routing break when upgrading a remote
router by copying a new kernel over, wondering what went wrong, realizing
it, logging into the router and adding sysctl to netstart (some of these
things are really old, as I try to avoid upgrading things which work).
Now, GATEWAY is a case where I *can* still log in the machine. Guess what
happens when someone who does not know about ipfw "improvement", or forgets
about it, and installs a new kernel and reboots a remote router, which
happens to be at the other side of the town :-(
This kind of changes should always be done carefully. Quick change without
thinking may mean hundreds of people falling in a nasty trap.
--
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-0-4375360 fax -4555276 home -8031121
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199603271805.UAA08738>