* Theo de Raadt <dera...@cvs.openbsd.org> [2013-11-14 19:00]: > > * Theo de Raadt <dera...@cvs.openbsd.org> [2013-11-14 18:47]: > > > > it is the status quo *right now* > > > Look, you can't call something the status quo when a commit was made 1 > > > month ago, to a REAL status quo that existed for 10 years when itojun > > > made the change... and immediately after this recent commit we > > > started arguying about the change. > > > Go find out what "status quo" means. > > let's not get into this, leads us nowhere. > I believe Alexander should either take us back to the status quo, or > move us to the new world where we have a "solution" for the non-pf > case as well. > > You are arguing for a case with NO PROTECTION against RH0. Ridiculous.
no protection for hosts BEHIND an OpenBSD box forwarding v6 traffic and not running pf, correct. the box itself is protected, by, well, itself. just like such an openbsd box doesn't protect the boxes behind it from pretty much anything else. that's what pf is for. > > > The non-pf RH0 filtering case is worthwhile. > > and here we disagree. > Do you run any routers with pf disabled? If so, please identify one, > for a demonstration. yes, I do. utterly pointless, since a) no v6 there at all and b) several pf pairs behind it and nothing else - as in, everything else is behind those pf boxes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
