From owner-freebsd-current@FreeBSD.ORG Fri Aug 4 20:02:29 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4750E16A536; Fri, 4 Aug 2006 20:02:29 +0000 (UTC) (envelope-from prvs=julian=3646b5a3c@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id C528D43D46; Fri, 4 Aug 2006 20:02:28 +0000 (GMT) (envelope-from prvs=julian=3646b5a3c@elischer.org) Received: from unknown (HELO [10.251.18.229]) ([10.251.18.229]) by a50.ironport.com with ESMTP; 04 Aug 2006 13:02:26 -0700 Message-ID: <44D3A7D1.2060607@elischer.org> Date: Fri, 04 Aug 2006 13:02:25 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Andre Oppermann References: <44D1473F.1000204@elischer.org> <44D150D6.6010101@elischer.org> <20060804101052.GW96644@FreeBSD.org> <44D38BB5.4080009@freebsd.org> In-Reply-To: <44D38BB5.4080009@freebsd.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Gleb Smirnoff , current@freebsd.org Subject: Re: Ignore: Re: ipfw output FWD broken on 6.1 and newer? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Aug 2006 20:02:29 -0000 Andre Oppermann wrote: > Gleb Smirnoff wrote: > >> On Wed, Aug 02, 2006 at 06:26:46PM -0700, Julian Elischer wrote: >> J> >I haven't tried 7.x yet but has anyone seen >> J> >the FWD command of ipfw running on 6.1? >> J> > >> J> >or anyone know of problems with it that may have been fixed on >> -current? >> J> J> Just found the "EXTENDED" option for ipfw fwd. >> J> J> Why we need that is wierd since it just allows it to act as it >> always J> used to and it never >> J> aused any massive problems that I know of (I committed it >> originally). >> J> personally I consider removing the option and making it default or >> J> reversing it and >> J> calling it >> J> J> IPFIREWALL_FORWARD_CRIPPLED >> >> I'm suprised that you have noticed it only now. When Andre has >> introduced >> this option that turns on a functionality that was present always >> before, >> I was quite angry but everyone ignored me. This even went to release >> notes >> as "new feature". > > > The reason I did it this way was to prevent way too easy foot shooting by > redirecting too much traffic somewhere else and killing the reachability > of the host itself of other hosts on directly connected networks. > Yes, the > two level approach has some drawbacks but also makes people much more > aware > of what they are doing by having to explicitly specify the second kernel > option. To enable ipfirewall forwarding people have to compile their own > kernel anyway, having them specify the second additional option is not > too > much of a burden. Although I agree that for experienced people it is > some > additional work to enter the two dozen characters. > Andre, I committer the original fwd code. I do not thnk that it is any more danger ous eot do this than to block yourself off with the firewall in any other way. If you don't mind I plan to remove that option and restore the original functionality as default.