Date: Wed, 21 Mar 2001 16:38:55 -0500 From: "Patrick Bihan-Faou" <patrick@netzuno.com> To: <paul@freebsd-services.co.uk>, <cvs-all@freebsd.org> Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <HJEEKLMFLKEOKHOKNPBMEECLCMAA.patrick@netzuno.com>
next in thread | raw e-mail | index | archive | help
Hi Paul, > The problem is that it's difficult to flush the rules of a remote server > because you'll get cut off. What seemed intuitive to me would be to be > able to specify what the default rule was so that rather than it just > being deny or allow all it could be something useful. To be useful it > needs to be more than one rule so we're heading towards the idea of > groups as you suggest but a very simple solution is to just protect the > first few rules and treat them as built-in defaults. I did that with > 10-15 lines of code which were easily audited, having minimal impact on > the design of IPFW and zero impact on existing installations. I can completely understand what the reasoning is behind your changes, but rather than treating the first few rules as "static", I would see a better point for treating the LAST few rules as static. Hopefully your ipfw rule set is defined by some sort of script. In such things, even if I know that the default compiled in rule is a deny all, I explicitely specify my own deny all rule to terminate the rule set. In such a setup, having a few rules near the end of the table (after the "normal" deny all rule) and making sure that they are not flushed can be a life saver (been there, done that). The reason why having them near the end is properly more usefull, is because in a normal setup you may want to have other things done before the "allow tcp from any to me 22" that I need to ensure I don't loose access to the box. These things include nat, various anti-spoof rules etc. They should be done before, the new default rule should be used only when everything else is in limbo. Maybe the real configuration setting should be a range: low-high, everything between the 2 values is flushed. Having only the low value is not really useful. Patrick. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?HJEEKLMFLKEOKHOKNPBMEECLCMAA.patrick>