Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Jan 1998 08:16:35 +0200 (SAT)
From:      Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za>
To:        jdp@polstra.com (John Polstra)
Cc:        archie@whistle.com, hackers@FreeBSD.ORG
Subject:   Re: ipfw patch
Message-ID:  <199801280617.IAA23275@oskar.nanoteq.co.za>
In-Reply-To: <199801280535.VAA29425@austin.polstra.com> from John Polstra at "Jan 27, 98 09:35:40 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
> In article <199801280028.QAA18434@bubba.whistle.com>,
> Archie Cobbs  <archie@whistle.com> wrote:
> > 
> > A good idea.. more traditional though would just be to add a flag
> > to ipfw itself, like "-n" or something.
> > 
> > -Archie
> > 
> > alexlh@xs4all.nl writes:
> > > I use ipfw a lot. It's really nice.
> > > 
> > > One thing bothered me though; sometimes there would be a typo in the rules
> > > file, causing ipfw not to finish adding all the rules. This has been a
> > > problem, as most of our servers are located behind a large, locked door
> > > and I usually do things to them over the network.
> > > 
> > > I've patched ipfw so that it's now possible to let it process a ruleset
> > > without actually adding the rules to the kernel. It now checks to see if
> > > the executable is actually named 'ipfw' before the setsockopt() call.
> > > Create a symlink named (for example) testipw pointing to the ipfw
> > > executable, and all will be fine.
> 
> I agree with Archie.  It's best to avoid adding programs that change
> their behavior based on the name used to invoke them.
> 

True ... it should be a flag so that it is optional.  The the case of the
machine being a firewall, you would rather it didn't process any rules
after the incorrect one (the behaviour like it is now) because you might
be skipping a very important deny rule and add other rules that would
make the system less secure.  In such a specific case you would rather
that it skipped all the other rules and just have the default deny at
the end than a false sense of security.  Even though it means that you
must have a console or screen and keyboard connected :)

Reinier


###################################################################
#							          #
#  R.N. Bezuidenhout                  NetSeq Firewall     	  #
#  rbezuide@oskar.nanoteq.co.za	      http://www.nanoteq.com      #  
#								  #
###################################################################

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801280617.IAA23275>