Subject: Re: New IP filter code
To: Jason Thorpe <>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-net
Date: 04/01/1997 17:34:09
Jason Thorpe <> writes:

>On Tue, 01 Apr 1997 17:07:56 -0800 
> Jonathan Stone <jonathan@DSG.Stanford.EDU> wrote:
> > Executive summary:
> > 
> > The [sic] fix in NetBSD's ip_fil is perceived by security-weenies
> > as a security flaw.
> > 
> > So, how about this: we add a hook to ip_fil'sn pseudo-device attach
> > routine, to turn on filtering, so those that rely on the old semantics
> > get it by default; and we add a config option that turns off that
> > call, so those who need to configure fail-open can do so.
>>So, your "old semantics" argument isn't even really valid, given
>>how it actually worked.
t's how it  worked in ip_fil 2.8.2 through 3.1.whatever.
'm still running a couple of pre-integration versions.

>What you can do, however, to get the semantics you want, is to put:
>        /sbin/ipf -E
>first in /etc/rc.

No, that's **not** the semantics I want.  Do you really not see the