Re: Ignore: Re: ipfw output FWD broken on 6.1 and newer?

From: Stefan Bethke <stb_at_lassitu.de>
Date: Fri, 4 Aug 2006 20:16:07 +0200
Am 04.08.2006 um 20:02 schrieb Andre Oppermann:

> Gleb Smirnoff wrote:
>> On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote:
>> J> >I haven't tried 7.x yet but has anyone seen
>> J> >the FWD command of ipfw running on 6.1?
>> J> >
>> J> >or anyone know of problems with it that may have been fixed on  
>> -current?
>> J> J> Just found the "EXTENDED" option for ipfw fwd.
>> J> J> Why we need that is wierd since it just allows it to act as  
>> it always J> used to and it never
>> J> aused any massive problems that I know of  (I committed it  
>> originally).
>> J> personally I consider removing the option and making it default  
>> or J> reversing it and
>> J> calling it
>> J> J> IPFIREWALL_FORWARD_CRIPPLED
>> I'm suprised that you have noticed it only now. When Andre has  
>> introduced
>> this option that turns on a functionality that was present always  
>> before,
>> I was quite angry but everyone ignored me. This even went to  
>> release notes
>> as "new feature".
>
> The reason I did it this way was to prevent way too easy foot  
> shooting by
> redirecting too much traffic somewhere else and killing the  
> reachability
> of the host itself of other hosts on directly connected networks.   
> Yes, the
> two level approach has some drawbacks but also makes people much  
> more aware
> of what they are doing by having to explicitly specify the second  
> kernel
> option.  To enable ipfirewall forwarding people have to compile  
> their own
> kernel anyway, having them specify the second additional option is  
> not too
> much of a burden.

I couldn't find a good description what functionality  
IPFIREWALL_FORWARD_EXTENDED actually enables, besides the one half- 
sentence in ipfw(8):
              [...] With the additional option
              options IPFIREWALL_FORWARD_EXTENDED all safeguards are  
removed
              and it also makes it possible to redirect packets  
destined to
              locally configured IP addresses.

Removing "all safeguards" sounds like my machine is going to burn up  
if I enable this.  And it turns out (at least in RELENG_5) that you  
need IPFIREWALL_FORWARD_EXTENDED also if you want to forward packets  
that *originate* at the local host.

It might help future users to clarify under which circumstances the  
option is needed, and which potential feet they might shoot...


Stefan

-- 
Stefan Bethke <stb_at_lassitu.de>   Fon +49 170 346 0140
Received on Fri Aug 04 2006 - 16:16:36 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC