Subject: Re: ipfilter loading.
To: None <thorpej@nas.nasa.gov>
From: Martin Husemann <martin@rumolt.teuto.de>
List: tech-kern
Date: 04/30/1997 07:29:55
> Jonathan Stone <jonathan@DSG.Stanford.EDU> wrote:
>
> > Oh. good point. What are those uses -- are they security-related?
> > Does changing the rule-filter default state break ipfilter for those uses?
and Jason R. Thorpe answered:
> ...NAT and passive logging come to mind. Think of cases where the machine
> is on a _wide open_ network, just collecting data about what sort
> of traffic is on the wire...
And this makes things complicated!
I wholeheartedly aggree with Dareen and Jonathan while talking about
security. I disagree when looking at generic kernels in distribution:
I would argue we could well live without ipfilter in a generic kernel, since
Joe Average User won't need it for security, and if, he would probably
customize his kernel anyway.
BUT: Joe Average User probably will run NAT - at least here in Germany it
makes a big $$$$ difference whether I order one dynamically assigned IP from
my provider or a subnet with complete routing and name resolving. So to let
my NetBSD box sup -current while I'm surfing using Internet Explorer on the
NT box, I'll need NAT.
Martin