>>>>> "Erik" == Erik Fair <fair@clock.org> writes:
    Erik> This option should be tied to IPFORWARDING, in the following way:

    Erik> If you're a router (IPFORWARDING=1), then you should accept a
    Erik> packet with your IP address on it, regardless of what interface it
    Erik> came in, i.e. strict checking should be OFF.

    Erik> If you're not a router (IPFORWARDING=0), then the strict
    
    && IPFILTER==0

    Erik> destination code should be on, and packets that came in from the
    Erik> wrong interface should be rejected.

  If I'm a firewall, then I have IPFORWARDWING on, since I want to forward.
But, I still want strict address checking, since it makes my rules a lot
simpler.
  
    Erik> I think those defaults will serve the majority effectively. We
    Erik> might still want to think about this in the context of multi-homed
    Erik> hosts (in the traditional definition of that term, please) a little
    Erik> more.

  I agree. 
  I'd like to see us integrate Paul Vixie's patches that permits
per-interface default routes that can be cached into TCP PCBs. I figured
out how to apply them given our SYN-spoofing defence (which changed when
the PCBs were allocated), but I never got a chance to test things. I still
want to.
  
]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [