Subject: Re: making our tcp/ip a strong-end system
To: Perry E. Metzger <perry@piermont.com>
From: Todd Vierling <tv@pobox.com>
List: tech-net
Date: 11/12/1998 16:56:33
On Thu, 12 Nov 1998, Perry E. Metzger wrote:

: > Then why not just use ipf and eliminate all of the workarounds of
: > workarounds?
: 
: Having the kernel do the right thing by default would give you a nice
: "belt and suspenders" security feel.

That depends on what you say is Right - in the proposal, it's all-or-none,
and I can present dozens of combinations where ipf is quick and correct and
a full strong-end system is too restrictive.  (From reading the rest of the
thread, there are others that would want part of the behavior, but not all
of it.)

So...

: > pass in quick on ne0 from any to 1.2.3.4
: > block in quick on ne0 all
: > pass in quick on ne1 from any to 4.3.2.1
: > block in quick on ne1 all

...is so much easier than hacking the kernel to hard-code this kind of
single use behavior.

In a router environment, ipf is much more flexible, as well.

-- 
-- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)