Gleb Smirnoff wrote: > On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote: > J> >I haven't tried 7.x yet but has anyone seen > J> >the FWD command of ipfw running on 6.1? > J> > > J> >or anyone know of problems with it that may have been fixed on -current? > J> > J> Just found the "EXTENDED" option for ipfw fwd. > J> > J> Why we need that is wierd since it just allows it to act as it always > J> used to and it never > J> aused any massive problems that I know of (I committed it originally). > J> personally I consider removing the option and making it default or > J> reversing it and > J> calling it > J> > J> IPFIREWALL_FORWARD_CRIPPLED > > I'm suprised that you have noticed it only now. When Andre has introduced > this option that turns on a functionality that was present always before, > I was quite angry but everyone ignored me. This even went to release notes > as "new feature". The reason I did it this way was to prevent way too easy foot shooting by redirecting too much traffic somewhere else and killing the reachability of the host itself of other hosts on directly connected networks. Yes, the two level approach has some drawbacks but also makes people much more aware of what they are doing by having to explicitly specify the second kernel option. To enable ipfirewall forwarding people have to compile their own kernel anyway, having them specify the second additional option is not too much of a burden. Although I agree that for experienced people it is some additional work to enter the two dozen characters. -- AndreReceived on Fri Aug 04 2006 - 16:02:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC