>>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
>    Andrew> if you're a firewall, you should have ipforwarding off and you should
>    Andrew> be proxying services.  if you're forwarding packets, you're *NOT* a
>    Andrew> firewall.
>
>  As someone who made a lot of money in the early/mid 90s selling proxy-based
>firewalls, I'm not going to argue this point. The difference between a fully
>stateful packet filter and a proxy based system is largely academic now.

i'll grant you that, but it's still much harder to break a proxy so
that it accidentally forwards every connection attempt.  packet
filters can be easily broken (by clueless personnel) such that they
*do* forward too much.

>    Andrew> if you're a packet filtering router, then you have forwarding on, and
>    Andrew> this code doesn't help you, since you can expect to be receiving many
>    Andrew> packets on many interfaces with destination addresses that aren't
>    Andrew> yours.
>
>  Right now, IPF has filtering rules for inbound traffic and for outbound
>traffic. It can fast route, but it does not distinguish between traffic
>intended to be forwarded vs traffic indended to be local. It would be
>better if it could. 

your rules are supposed to distinguish between what needs to local and
what needs to be forwarded.  i thought that was the idea...

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."