Date: Wed, 29 Jul 1998 20:08:54 +0200 From: sthaug@nethelp.no To: benedikt@devnull.ruhr.de Cc: marcs@znep.com, ben@rosengart.com, security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) Message-ID: <2983.901735734@verdi.nethelp.no> In-Reply-To: Your message of "28 Jul 1998 15:34:36 %2B0200" References: <87af5um74j.fsf@devnull.ruhr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
> > If your box is setup *not* to route (net.inet.ip.forwarding = 0), I can > > certainly see security advantages in not allowing packets to be accepted > > unless they have destination address equal to the interface address. I > > have seen a patch for this floating around on the net, but it would be > > nice to have this configurable. > > I'd use a packet filter for that, something like Certainly you can do that - but it seems like a rather heavyweight method of solving this particular problem. I'd like to have something that could be twiddled with sysctl myself. > Making this the default behaviour will break a variety of things in > connection with multihomed hosts that have interfaces in multiple > networks (like for performance issues) but leave the actual routing > business to some active network component. Agreed - that why I'd like to be able to turn this behavior off and on. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2983.901735734>