Am 04.08.2006 um 20:02 schrieb Andre Oppermann: > Gleb Smirnoff wrote: >> On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote: >> J> >I haven't tried 7.x yet but has anyone seen >> J> >the FWD command of ipfw running on 6.1? >> J> > >> J> >or anyone know of problems with it that may have been fixed on >> -current? >> J> J> Just found the "EXTENDED" option for ipfw fwd. >> J> J> Why we need that is wierd since it just allows it to act as >> it always J> used to and it never >> J> aused any massive problems that I know of (I committed it >> originally). >> J> personally I consider removing the option and making it default >> or J> reversing it and >> J> calling it >> J> J> IPFIREWALL_FORWARD_CRIPPLED >> I'm suprised that you have noticed it only now. When Andre has >> introduced >> this option that turns on a functionality that was present always >> before, >> I was quite angry but everyone ignored me. This even went to >> release notes >> as "new feature". > > The reason I did it this way was to prevent way too easy foot > shooting by > redirecting too much traffic somewhere else and killing the > reachability > of the host itself of other hosts on directly connected networks. > Yes, the > two level approach has some drawbacks but also makes people much > more aware > of what they are doing by having to explicitly specify the second > kernel > option. To enable ipfirewall forwarding people have to compile > their own > kernel anyway, having them specify the second additional option is > not too > much of a burden. I couldn't find a good description what functionality IPFIREWALL_FORWARD_EXTENDED actually enables, besides the one half- sentence in ipfw(8): [...] With the additional option options IPFIREWALL_FORWARD_EXTENDED all safeguards are removed and it also makes it possible to redirect packets destined to locally configured IP addresses. Removing "all safeguards" sounds like my machine is going to burn up if I enable this. And it turns out (at least in RELENG_5) that you need IPFIREWALL_FORWARD_EXTENDED also if you want to forward packets that *originate* at the local host. It might help future users to clarify under which circumstances the option is needed, and which potential feet they might shoot... Stefan -- Stefan Bethke <stb_at_lassitu.de> Fon +49 170 346 0140Received on Fri Aug 04 2006 - 16:16:36 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC