From owner-freebsd-hackers Sun Mar 14 10:30:14 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 142F314E70 for ; Sun, 14 Mar 1999 10:30:11 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 5420 invoked by uid 1001); 14 Mar 1999 18:29:52 +0000 (GMT) To: wes@softweyr.com Cc: ru@ucb.crimea.ua, dg@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: ipflow and ipfirewall From: sthaug@nethelp.no In-Reply-To: Your message of "Sun, 14 Mar 1999 11:23:43 -0700" References: <36EBFEAF.C37CFCE6@softweyr.com> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 14 Mar 1999 19:29:51 +0100 Message-ID: <5418.921436191@verdi.nethelp.no> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > The way I see it, "fast forward" would be for router boxes at the core > > of your network. Here you're concerned about speed. Firewall filtering > > you normally want to do at the edges, where you're not so concerned about > > speed. > > Apparently you see only networks where all users are equally trusted. No. > Most don't. Of course, if you were really worried about security, > you wouldn't be using shared media and routers, would you? I think you're misunderstanding what I'm saying. I think that having a "fast forward" option *available* is nice - for instance for situations where you want your FreeBSD box to *only* act as a router and want the highest performance. If you don't like the fact that the "fast foward" path doesn't include filtering, then you simply shouldn't use the "fast foward" path. Is this so difficult? Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message