lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 2 Jul 2009 06:48:40 +0930
From:	Mark Smith <lk-netdev@...netdev.nosense.org>
To:	Patrick McHardy <kaber@...sh.net>
Cc:	David Miller <davem@...emloft.net>, markmc@...hat.com,
	netdev@...r.kernel.org, herbert@...dor.apana.org.au
Subject: Re: [PATCH] bridge: make bridge-nf-call-*tables default
 configurable

On Wed, 01 Jul 2009 18:05:40 +0200
Patrick McHardy <kaber@...sh.net> wrote:

> David Miller wrote:
> > From: Patrick McHardy <kaber@...sh.net>
> > Date: Wed, 01 Jul 2009 12:51:06 +0200
> > 
> >> I agree, this has already caused an endless amount of problems for
> >> users due to the unexpected behaviour and, in some cases, bugs.
> >>
> >> Dave's point is certainly valid as well, until we change the defaults,
> >> distributions can use sysctl.conf. But I think we should move towards
> >> changing the defaults.
> > 
> > You must do this via something like your suggestion, the
> > feature-removal-schedule.txt thing.
> 
> Yes, of course. But I prefer the runtime warning (at least on top),
> my feeling is not many people actually read feature-removal-schedule.
> 

Reviewing my earlier email, I realised I didn't say why I liked it.
Yes, I've been burned by it quite a bit, but that was because I wasn't
aware of it.

I do see a lot of value in it for "layer 3 transparent" firewalling.
Adding a firewall to a network can be a bit of an effort as it may
involve changing the networks routing configuration, and consequently
all the things that involves e.g. renumbering hosts, spitting up
subnets or adding new ones. Being able to insert a layer 3
transparent firewalling device between the upstream router and the
downstream hosts would be far, far easier.

With it being able to firewall bridged PPPoE/PPP traffic, potentially
made it even more useful, although in less common cases. For example, I
have a number of devices at home that are themselves running PPPoE/PPP,
rather than having a single upstream router running it. If I wasn't
confident of the firewalling capabilities of each of those devices, I
could insert a layer 3 transparent iptables firewall, and add another
level of firewalling to the PPPoE/PPP encapsulated traffic.

So, I'd certainly like the feature to stay. It just needs to either not
be on by default, or the default made more obvious and a method added
to make it easy to switch off.

Thanks,
Mark.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ