Subject: Re: ipfilter loading.
To: None <thorpej@nas.nasa.gov>
From: Andrew Gillham <gillhaa@ghost.whirlpool.com>
List: tech-kern
Date: 04/29/1997 14:28:04
Jason R. Thorpe wrote:
> 
> On Mon, 28 Apr 1997 22:45:22 -0700 
>  Jonathan Stone <jonathan@DSG.Stanford.EDU> wrote:
> 
>  > Oh. good point.   What are those uses -- are they security-related?
>  > Does changing the rule-filter default state break ipfilter for those uses?
> 
> ...NAT and passive logging come to mind.  Think of cases where the machine
> is on a _wide open_ network, just collecting data about what sort
> of traffic is on the wire...

Speaking of NAT, the examples aren't correct in the manpage.  (they
don't have the interface name)
Regarding when ipfilter is enabled, I disagree with enabling it by
default.  Jonathon Stone argues that the change "broke his firewall",
and that it is less secure.  That is a good one.  Who is going to run
-current on his firewall, and upgrade it daily?  Also, the default
rule is to pass all traffic, which is exactly the same as not enabling
it.

-Andrew
-- 
-----------------------------------------------------------------
Andrew Gillham                            | This space left blank
gillham@whirlpool.com                     | inadvertently.
I speak for myself, not for my employer.  | Contact the publisher.