[3555] in linux-net channel archive
Re: Default Forwarding Policies
daemon@ATHENA.MIT.EDU (Jos Vos)
Mon Jul 1 05:03:24 1996
From: Jos Vos <jos@xos.nl>
To: lnz@dandelion.com (Leonard N. Zubkoff)
Date: Mon, 1 Jul 1996 10:45:17 +0200 (MET DST)
Cc: linux-net@vger.rutgers.edu, Linus.Torvalds@cs.helsinki.fi
In-Reply-To: <199607010756.AAA02643@dandelion.com> from "Leonard N. Zubkoff" at Jul 1, 96 00:56:24 am
> If IP Forwarding and IP Firewall are both included in a kernel, shouldn't the
> default policy be to not forward anything until the system startup scripts set
> the appropriate policies? Otherwise, there's a window of time during boot when
> packets will be forwarded but should not be. Worse still, if a crash causes a
> reboot that doesn't get far enough to run the startup scripts, a machine might
> be left with forwarding turned on indefinitely until someone notices the
> problem.
I don't think this is necessary.
It might cause confusion when the default policy depends on the
CONFIG_IP_FIREWALL definition. Also, a lot of people just enable
the firewall options, although they don't use it from the beginning
(and don't know how to use ipfwadm at that point).
About the window during the boot phase: as long as you put the
ipfwadm commands _before_ the ifconfig commands (which is possible,
even using device names, etc.), there is no serious risk (except when
ipfwadm crashes, but even that could be catched by checking the
default policy before doing the ifconfig commands).
Or am I overlooking something there?
Another option would be to choose the initial default policy at
kernel configuration time, but I think this is not worth the pain.
--
-- Jos Vos <jos@xos.nl>
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
