| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090702064840.d187bab6.lk-netdev@lk-netdev.nosense.org> Date: Thu, 2 Jul 2009 06:48:40 +0930 From: Mark Smith <lk-netdev@...netdev.nosense.org> To: Patrick McHardy <kaber@...sh.net> Cc: David Miller <davem@...emloft.net>, markmc@...hat.com, netdev@...r.kernel.org, herbert@...dor.apana.org.au Subject: Re: [PATCH] bridge: make bridge-nf-call-*tables default configurable On Wed, 01 Jul 2009 18:05:40 +0200 Patrick McHardy <kaber@...sh.net> wrote: > David Miller wrote: > > From: Patrick McHardy <kaber@...sh.net> > > Date: Wed, 01 Jul 2009 12:51:06 +0200 > > > >> I agree, this has already caused an endless amount of problems for > >> users due to the unexpected behaviour and, in some cases, bugs. > >> > >> Dave's point is certainly valid as well, until we change the defaults, > >> distributions can use sysctl.conf. But I think we should move towards > >> changing the defaults. > > > > You must do this via something like your suggestion, the > > feature-removal-schedule.txt thing. > > Yes, of course. But I prefer the runtime warning (at least on top), > my feeling is not many people actually read feature-removal-schedule. > Reviewing my earlier email, I realised I didn't say why I liked it. Yes, I've been burned by it quite a bit, but that was because I wasn't aware of it. I do see a lot of value in it for "layer 3 transparent" firewalling. Adding a firewall to a network can be a bit of an effort as it may involve changing the networks routing configuration, and consequently all the things that involves e.g. renumbering hosts, spitting up subnets or adding new ones. Being able to insert a layer 3 transparent firewalling device between the upstream router and the downstream hosts would be far, far easier. With it being able to firewall bridged PPPoE/PPP traffic, potentially made it even more useful, although in less common cases. For example, I have a number of devices at home that are themselves running PPPoE/PPP, rather than having a single upstream router running it. If I wasn't confident of the firewalling capabilities of each of those devices, I could insert a layer 3 transparent iptables firewall, and add another level of firewalling to the PPPoE/PPP encapsulated traffic. So, I'd certainly like the feature to stay. It just needs to either not be on by default, or the default made more obvious and a method added to make it easy to switch off. Thanks, Mark. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists