Harald Dunkel <[EMAIL PROTECTED]> writes: > Sorry to wake this thread up again, but this problem is a severe > security risk. IMHO it is unacceptable that a hardware failure on > one NIC of a firewall can put the whole network at risk, just because > the mapping between NICs and interface names gets mixed up, and PF > suddenly treats the Internet as a subnet of the company LAN.
Semi-random reordering of network interfaces would be a severe problem, no doubt. However, my hazy memory was that reordering would not occur as you describe, but ICBW, please correct me if this has actually been demonstrated to happen. > The workarounds posted here just show that OpenBSD's native > functionality is insufficient. If you are planning a version 5.0, > then it would be very nice if you could address this problem. Version 5.0 would be roughly three years into the future unless OpenBSD chooses to deviate from the version naming scheme, ie 4.5 - May 2009 4.6 - November 2009 4.7 - May 2010 4.8 - November 2010 4.9 - May 2011 5.0 - November 2011 any issues that have real security impact would likely be handled *a lot* sooner. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
