Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Erik Fair <>
From: Michael Richardson <>
List: tech-net
Date: 05/06/2000 12:09:40
>>>>> "Erik" == Erik Fair <> writes:
    Erik> This option should be tied to IPFORWARDING, in the following way:

    Erik> If you're a router (IPFORWARDING=1), then you should accept a
    Erik> packet with your IP address on it, regardless of what interface it
    Erik> came in, i.e. strict checking should be OFF.

    Erik> If you're not a router (IPFORWARDING=0), then the strict
    && IPFILTER==0

    Erik> destination code should be on, and packets that came in from the
    Erik> wrong interface should be rejected.

  If I'm a firewall, then I have IPFORWARDWING on, since I want to forward.
But, I still want strict address checking, since it makes my rules a lot
    Erik> I think those defaults will serve the majority effectively. We
    Erik> might still want to think about this in the context of multi-homed
    Erik> hosts (in the traditional definition of that term, please) a little
    Erik> more.

  I agree. 
  I'd like to see us integrate Paul Vixie's patches that permits
per-interface default routes that can be cached into TCP PCBs. I figured
out how to apply them given our SYN-spoofing defence (which changed when
the PCBs were allocated), but I never got a chance to test things. I still
want to.
]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [