Re: "IP Masquerading for applications"

Darren Reed (
Mon, 8 Apr 1996 14:52:35 +1000 (EST)

In some mail from Kevin M Bealer, sie said:
> On Sun, 7 Apr 1996, Darren Reed wrote:
> > In some mail from Michael Slater, sie said:
> > > On Sat, 6 Apr 1996, Darren Reed wrote:
> > >
> > > If you want to use Software that is garuanteed to work, then you should
> > > try buying commercial software. the people who have developed all of this
> > > fine software for us to use, ask nothing for it's use and i find it in
> > > most cases better than it's commercial counterparts. I for one am gratefull
> > > for it's availablity and do what i can to support the concept of _FREE_
> > > software. And i dont complain if something does not meet my expectations,
> > > but rather look upon it as a challenge to find out why it does not work.
> >
> > In this case it is obvious why it doesn't always work.
> >
> > The problem with it at present is it leads people to believe that it will
> > always if it happens to work occasionally.
> (clip)
> > > > * fix it so it works properly
> > > >
> > > > * remove it
> (clip)
> The 1.3.* kernels are NOT 'released' software, they are experimental 'alpha'
> type software... Anyone who 'rtfm' has seen the 'do-not-use' warnings, and
> knows the risk..
> So you are asking Linux developers to remove experimental code from
> _testing_, in case someone accidentally participates in an alpha test
> because they did not read instructions?

No, I'm telling them they should should NOT be using `IP masquerading' for
providing a `transparent proxy' and that they should remove the code that is
currently there and start over - that's what alpha/beta testing is for,
finding bad/buggy code and fixing it. In this case that bad/buggy code is
best fixed by removing it. Not nice, I know.

Maybe this is the source of the problem: IP Masquerading (which is a network
or transport layer function) is quite ok, but extending that to become a
"Transparent Proxy" mechanism is absurd. They're both fundamentally
different methods of implementing a firewall.

> I'm not trying to start a flame war here.. Read the readme's, and if people
> won't do that, oh well. I object to child-proofing this stuff. If I want
> childproofing, I can type 'win95' at the LILO prompt.

Given the trend of the way it was going, it looked like it was headed for
integration into the next non-beta/development release. I was rather
alarmed by its progress and comments from people saying there was a big
push to get it done. I drew up a list of all the problems with the current
code, fixing it would be no easier than rewriting TCP from scratch. I and
many others know that 1.3.* is `beta' BUT LOTS of people ignore that and
use it in production situations. Providing a broken firewall mechanism
is not in the best interests of anyone.

I was concerned and of the opinion that with the current thrust behind
doing things the way they were currently being done that e-mail to the
author would not solve anything.


p.s. I type "FreeBSD" at the LILO prompt for child-proofing :-)