Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Michael Richardson <>
From: Andrew Brown <>
List: tech-net
Date: 05/06/2000 15:42:43
>>>>>> "Andrew" == Andrew Brown <> writes:
>    Andrew> if you're a firewall, you should have ipforwarding off and you should
>    Andrew> be proxying services.  if you're forwarding packets, you're *NOT* a
>    Andrew> firewall.
>  As someone who made a lot of money in the early/mid 90s selling proxy-based
>firewalls, I'm not going to argue this point. The difference between a fully
>stateful packet filter and a proxy based system is largely academic now.

i'll grant you that, but it's still much harder to break a proxy so
that it accidentally forwards every connection attempt.  packet
filters can be easily broken (by clueless personnel) such that they
*do* forward too much.

>    Andrew> if you're a packet filtering router, then you have forwarding on, and
>    Andrew> this code doesn't help you, since you can expect to be receiving many
>    Andrew> packets on many interfaces with destination addresses that aren't
>    Andrew> yours.
>  Right now, IPF has filtering rules for inbound traffic and for outbound
>traffic. It can fast route, but it does not distinguish between traffic
>intended to be forwarded vs traffic indended to be local. It would be
>better if it could. 

your rules are supposed to distinguish between what needs to local and
what needs to be forwarded.  i thought that was the idea...

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."