Re: /proc/sys/net/* proliferation

Bryan Andregg (
Sun, 14 Sep 1997 13:16:10 -0400

On Sun, 14 Sep 1997 01:02:22 +0100 (BST), Alan Cox wrote:

>> > can only be changed at compile time (as in 2.0.x) it should be on so the
>> > functionality is there for those who need it.
>> No, it shouldn't because it can cause serious harm and security holes
>> on multihomed hosts. I'm pretty sure that the host requirements RFC
>> requires an explicit user action to enable it.
>RFC1122 does indeed require that a system is a host by default and routing
>must be switched on. In 2.1.x this problem goes away (its a sysctl), in
>2.0.x a vendor could always ship a seperate kernel

So then would an appropriate solution also be to ship with forwarding on (in the
kernel) but the forwarding policy set to 'reject.' This would require an
enabling command then.

                Bryan C. Andregg * <> * Red Hat Software

"Donnie were much more 'user-friendly'. May be you selective about friends:-)" -- Levente Farkas

"Hey, wait a minute, you clowns are on dope!" -- Owen Cheese in 'Shakes the Clown'