[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rdr vs pass

To: misc@openbsd.org
Subject: Re: rdr vs pass
From: Ingo Schwarze <schwarze@usta.de>
Date: Tue, 1 Mar 2005 22:18:42 +0100
References: <Pine.LNX.4.33.0503011430160.5631-100000@www.abbotts.org>
User-Agent: Mutt/1.4.2i

Hi,

> seems like if everything could be done with redirects,

Does your colleague intend to block traffic by redirecting
it to some nonexistent IP address?

If so, i think you should not do that.  
 1. You would forward packets into some network segment
    where you don't want them - that's both unnecessary
    network load and a risk that someone will craft an
    exploit against that network segment.  Don't give
    anybody any access to anything unless they have some
    business there.
 2. At some time in the future, somebody might put the
    formerly nonexistent IP address to some use.
    He will be quite surprised to receive a lot of junk
    on his interface.
 3. Even worse, somebody might intentionally plug in a
    laptop in order to look what kind of traffic you are
    blocking.  They might even respond to that traffic,
    effectively drilling holes into your firewall.

> why did the gods of openbsd create rules?
> The only real argument I have is rules buy us logging...

Well, there are more options to block/pass than just "log".
What about "return-rst", to supply but one additional example?

Yours,
  Ingo

Follow-Ups:
- Re: rdr vs pass
  - From: eric <eric-list-openbsd-misc@catastrophe.net>

References:
- rdr vs pass
  - From: <jabbott@abbotts.org>

Prev by Date: Re: Newbie Guide (DRAFT)
Next by Date: ★국내1위 직장인대·출 스페셜론 5000만원원까지 년5~12% 100%승인!
Prev by thread: Re: rdr vs pass
Next by thread: Re: rdr vs pass
Index(es):
- Date
- Thread