Andre Oppermann wrote: > Gleb Smirnoff wrote: > >> On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote: >> J> >I haven't tried 7.x yet but has anyone seen >> J> >the FWD command of ipfw running on 6.1? >> J> > >> J> >or anyone know of problems with it that may have been fixed on >> -current? >> J> J> Just found the "EXTENDED" option for ipfw fwd. >> J> J> Why we need that is wierd since it just allows it to act as it >> always J> used to and it never >> J> aused any massive problems that I know of (I committed it >> originally). >> J> personally I consider removing the option and making it default or >> J> reversing it and >> J> calling it >> J> J> IPFIREWALL_FORWARD_CRIPPLED >> >> I'm suprised that you have noticed it only now. When Andre has >> introduced >> this option that turns on a functionality that was present always >> before, >> I was quite angry but everyone ignored me. This even went to release >> notes >> as "new feature". > > > The reason I did it this way was to prevent way too easy foot shooting by > redirecting too much traffic somewhere else and killing the reachability > of the host itself of other hosts on directly connected networks. > Yes, the > two level approach has some drawbacks but also makes people much more > aware > of what they are doing by having to explicitly specify the second kernel > option. To enable ipfirewall forwarding people have to compile their own > kernel anyway, having them specify the second additional option is not > too > much of a burden. Although I agree that for experienced people it is > some > additional work to enter the two dozen characters. > Andre, I committer the original fwd code. I do not thnk that it is any more danger ous eot do this than to block yourself off with the firewall in any other way. If you don't mind I plan to remove that option and restore the original functionality as default.Received on Fri Aug 04 2006 - 18:02:29 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC