tech-net: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.

Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Andrew Brown <atatat@atatdot.net>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 05/06/2000 15:11:36

>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
    Andrew> if you're a firewall, you should have ipforwarding off and you should
    Andrew> be proxying services.  if you're forwarding packets, you're *NOT* a
    Andrew> firewall.

  As someone who made a lot of money in the early/mid 90s selling proxy-based
firewalls, I'm not going to argue this point. The difference between a fully
stateful packet filter and a proxy based system is largely academic now.

    Andrew> if you're a packet filtering router, then you have forwarding on, and
    Andrew> this code doesn't help you, since you can expect to be receiving many
    Andrew> packets on many interfaces with destination addresses that aren't
    Andrew> yours.

  Right now, IPF has filtering rules for inbound traffic and for outbound
traffic. It can fast route, but it does not distinguish between traffic
intended to be forwarded vs traffic indended to be local. It would be
better if it could. 

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [