Subject: Re: New IP filter code
To: Michael Graff <firstname.lastname@example.org>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
Date: 04/01/1997 17:25:53
In message <email@example.com>Michael Graff writes
>"Perry E. Metzger" <firstname.lastname@example.org> writes:
>> > Having to explicitly turn ip_filter *on* is a bug, in some environments.
>> Indeed. You don't want packets to leak during bootup.
>Can you turn it on before the interfaces are configured? If so,
>that seems like a workable solution.
Not really, no. Yes, ip_fil on a firewall can be made to work
that way, if configured correctly.
But the behavior of the old and `fixed' versions in the face of
configuration errors; or booting single-user and "accidentally'
bringing up interfaces without enabling filtering; or when upgrading
kernels on the firewall, etc, is... different.
>From a security perspective, that difference really does matter.
Perry and I have quite different views on security but on this we seem
to agree, at least in part.