cvs commit: src/sys/netinet ip_fastfwd.c ip_input.c ip_var.h

Darren Reed darrenr at hub.freebsd.org
Sun May 9 10:47:28 PDT 2004 

On Sat, May 08, 2004 at 11:25:43AM -0700, Sam Leffler wrote:
> 
> I'm sensitive to the argument about duplicating functionality but I'll repeat 
> again I consider this change worthwhile. To require each and every system 
> configure a packet filter to get equivalent functionality is overkill IMO and 
> is the reason I agreed with the change. If this were useful only for machines 
> doing packet forwarding then I'd agree that it's duplicate functionality and 
> better handled by a packet filter that would already be present in the 
> system.  However I expected it would be used by many/most endpoint systems 
> that weren't necessarily using a packet filter.  Further, if you can argue 
> the default setting will rarely be changed then I'd agree that it's not worth 
> keeping, but I felt otherwise--that folks would want to change the default 
> setting to something else.

Anyone who thinks that firewalling technology only belongs on machines
that pass packets from one network to another isn't watching the industry
as a whole.

You've got Microsoft enhancing its built-in firewall facility, all the
time, products like Zone Alarm that are immensely popular and targetted
at exactly that kind of market, companies such as Sun wanting to integrate
this sort of feature set is not so people can build Solaris firewalls but
for host protection, and Apple including ipfw in MacOS.  And that's not
to forget the current evolution of firewall technology into NICs that
are immune to tampering by the OS.

The real issue for FreeBSD isn't the presence of firewalling options,
but making them easily accessible to users and making them managable
in a larger environment.  Hence, I believe that the problem for FreeBSD
is that even with "user friendly" input syntaxes for firewalls, the
hurdle is still too high to enable basic security with them.  If you
can overcome that then the need for ssyctl's to block these offending
packets is diminished.

And hence, I'd argue that people who want this sort of protection
should be using a firewall (of whatever sort), not some obscure option,
elsewhere.

With respect to its main intended use (fast forwarding of packets),
maybe it should be called (and limited to interaction with) this:

net.inet.ip.fastfwd.ignore_ipoptions

Darren

More information about the cvs-all mailing list