From owner-freebsd-current@FreeBSD.ORG Fri Aug 4 18:02:31 2006 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C365E16A4E1 for ; Fri, 4 Aug 2006 18:02:31 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C759343D46 for ; Fri, 4 Aug 2006 18:02:30 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 13570 invoked from network); 4 Aug 2006 17:53:38 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Aug 2006 17:53:38 -0000 Message-ID: <44D38BB5.4080009@freebsd.org> Date: Fri, 04 Aug 2006 20:02:29 +0200 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050217 MIME-Version: 1.0 To: Gleb Smirnoff References: <44D1473F.1000204@elischer.org> <44D150D6.6010101@elischer.org> <20060804101052.GW96644@FreeBSD.org> In-Reply-To: <20060804101052.GW96644@FreeBSD.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Julian Elischer , current@FreeBSD.org Subject: Re: Ignore: Re: ipfw output FWD broken on 6.1 and newer? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2006 18:02:31 -0000 Gleb Smirnoff wrote: > On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote: > J> >I haven't tried 7.x yet but has anyone seen > J> >the FWD command of ipfw running on 6.1? > J> > > J> >or anyone know of problems with it that may have been fixed on -current? > J> > J> Just found the "EXTENDED" option for ipfw fwd. > J> > J> Why we need that is wierd since it just allows it to act as it always > J> used to and it never > J> aused any massive problems that I know of (I committed it originally). > J> personally I consider removing the option and making it default or > J> reversing it and > J> calling it > J> > J> IPFIREWALL_FORWARD_CRIPPLED > > I'm suprised that you have noticed it only now. When Andre has introduced > this option that turns on a functionality that was present always before, > I was quite angry but everyone ignored me. This even went to release notes > as "new feature". The reason I did it this way was to prevent way too easy foot shooting by redirecting too much traffic somewhere else and killing the reachability of the host itself of other hosts on directly connected networks. Yes, the two level approach has some drawbacks but also makes people much more aware of what they are doing by having to explicitly specify the second kernel option. To enable ipfirewall forwarding people have to compile their own kernel anyway, having them specify the second additional option is not too much of a burden. Although I agree that for experienced people it is some additional work to enter the two dozen characters. -- Andre