Subject: Re: New IP filter code
To: Michael Graff <>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 04/01/1997 17:25:53
In message <>Michael Graff writes
>"Perry E. Metzger" <> writes:
>> > Having to explicitly turn ip_filter *on* is a bug, in some environments.
>> Indeed. You don't want packets to leak during bootup.
>Can you turn it on before the interfaces are configured?  If so,
>that seems like a workable solution.

Not really, no.  Yes, ip_fil on a firewall can be made to work
that way, if configured correctly.

But the behavior of the old and `fixed' versions in the face of
configuration errors; or booting single-user and "accidentally'
bringing up interfaces without enabling filtering; or when upgrading
kernels on the firewall, etc, is...  different.

>From a security perspective, that difference really does matter.
Perry and I have quite different views on security but on this we seem
to agree, at least in part.