Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 04 Aug 2006 20:02:29 +0200
From:      Andre Oppermann <andre@freebsd.org>
To:        Gleb Smirnoff <glebius@FreeBSD.org>
Cc:        Julian Elischer <julian@elischer.org>, current@FreeBSD.org
Subject:   Re: Ignore: Re: ipfw output FWD broken on 6.1 and newer?
Message-ID:  <44D38BB5.4080009@freebsd.org>
In-Reply-To: <20060804101052.GW96644@FreeBSD.org>
References:  <44D1473F.1000204@elischer.org> <44D150D6.6010101@elischer.org> <20060804101052.GW96644@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Gleb Smirnoff wrote:
> On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote:
> J> >I haven't tried 7.x yet but has anyone seen
> J> >the FWD command of ipfw running on 6.1?
> J> >
> J> >or anyone know of problems with it that may have been fixed on -current?
> J> 
> J> Just found the "EXTENDED" option for ipfw fwd.
> J> 
> J> Why we need that is wierd since it just allows it to act as it always 
> J> used to and it never
> J> aused any massive problems that I know of  (I committed it originally).
> J> personally I consider removing the option and making it default or 
> J> reversing it and
> J> calling it
> J> 
> J> IPFIREWALL_FORWARD_CRIPPLED
> 
> I'm suprised that you have noticed it only now. When Andre has introduced
> this option that turns on a functionality that was present always before,
> I was quite angry but everyone ignored me. This even went to release notes
> as "new feature".

The reason I did it this way was to prevent way too easy foot shooting by
redirecting too much traffic somewhere else and killing the reachability
of the host itself of other hosts on directly connected networks.  Yes, the
two level approach has some drawbacks but also makes people much more aware
of what they are doing by having to explicitly specify the second kernel
option.  To enable ipfirewall forwarding people have to compile their own
kernel anyway, having them specify the second additional option is not too
much of a burden.  Although I agree that for experienced people it is some
additional work to enter the two dozen characters.

-- 
Andre



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44D38BB5.4080009>