Date: Sun, 15 Dec 2002 12:05:07 -0800 (PST) From: Nate Lawson <nate@root.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: current@FreeBSD.ORG Subject: Re: ipfw userland breaks again. Message-ID: <Pine.BSF.4.21.0212151157240.44745-100000@root.org> In-Reply-To: <200212151940.gBFJeA1l086827@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 15 Dec 2002, Matthew Dillon wrote: > Here's a new patch. But there isn't much of a point if we do not > also disallow ipfw DELETE and FLUSH. And the pipe config commands > as well as anything else that changes the firewall state. Firewalls > are there to protect the systems behind them. I think deleting the > rule that, say, prevents spoofing is as bad as adding a rule that > allows everything through :-( One other avenue would be to stick a temporary check for ABI compat in installworld before overwriting ipfw. Or for the next few releases, build both ipfw1 and ipfw2 and install both (say, symlinking ipfw -> ipfw2 by default). You could fall back to ipfw1 if ipfw2 returns an error code in rc scripts. I'd prefer this kind of hack in the install/rc process, not in a new API. Regarding civility to developers, there are a ton of frustrating things in any project. I think civility should be the response given to both reasonable and unreasonable people. If they are unreasonable, giving a reasonable response just makes them look bad. -Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0212151157240.44745-100000>