Date: Sun, 14 Mar 1999 15:36:38 +0100 From: sthaug@nethelp.no To: ru@ucb.crimea.ua Cc: dg@freebsd.org, hackers@freebsd.org Subject: Re: ipflow and ipfirewall Message-ID: <3441.921422198@verdi.nethelp.no> In-Reply-To: Your message of "Sun, 14 Mar 1999 16:24:19 %2B0200" References: <19990314162419.A10242@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > It seems that such "fast forwardable" packets, when passed from > > > ether_input(), for example, just simply bypass all firewall checks. > > > > > > Am I right? > > > > > > > you are. > > > > It's a big security leak... > David, was it supposed by design (that such packets bypass firewall)? The way I see it, "fast forward" would be for router boxes at the core of your network. Here you're concerned about speed. Firewall filtering you normally want to do at the edges, where you're not so concerned about speed. Personally, I think it's a sensible tradeoff. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3441.921422198>