Subject: Re: New IP filter code
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Bernd Ernesti <netbsd@arresum.inka.de>
List: tech-net
Date: 04/02/1997 10:24:03
On Wed Apr 2 03:25:53 1997, Jonathan Stone wrote:
>
> In message <v6208uxmvq.fsf@kechara.flame.org>Michael Graff writes
> >"Perry E. Metzger" <perry@piermont.com> writes:
> >
> >> > Having to explicitly turn ip_filter *on* is a bug, in some environments.
> >>
> >> Indeed. You don't want packets to leak during bootup.
> >
> >Can you turn it on before the interfaces are configured? If so,
> >that seems like a workable solution.
You can that, i made the change to /etc/netstart to enable it again.
> Not really, no. Yes, ip_fil on a firewall can be made to work
> that way, if configured correctly.
>
> But the behavior of the old and `fixed' versions in the face of
> configuration errors; or booting single-user and "accidentally'
> bringing up interfaces without enabling filtering; or when upgrading
> kernels on the firewall, etc, is... different.
We can't fix all problems with comes from humans.
Btw, why don't you use IPF_DEFAULT_PASS ? Thats all what you wanted.
Bernd