> > >- It is pf's job to add more security. > > It is. However, you will note that in IPv4 land we have sysctl > > net.inet.ip.sourceroute. It defaults to 0 (off). RH is like IPv4 source > > routing, except on steriods. Would any of us at this time recommend > > net.inet.ip.sourceroute=1, or to go further, remove the code disabling code > > from the kernel and assume that pf is doing the filtering? I doubt it. > > that analogy is actually a good one. > net.inet.ip.sourceroute controls wether we OBEY src routes. > as in, we don't by default, as we don't obey RH0 at all, without a > button. > we do, however, NOT remove src routing information from forwarded > packets.
the multiplicative effects are far too serious.
