Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Aug 2002 01:51:15 -0700
From:      Luigi Rizzo <>
To:        "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: CTLFLAG_SECURE patch for ip_fw.c
Message-ID:  <>
In-Reply-To: <>; from on Sat, Aug 03, 2002 at 01:25:59AM -0700
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Thanks, but I have a few comments here:

  * ip_fw.c in -current is basically dead, so you can leave it untouched.

  * There are two more related variables, one in net/bridge.c and the other
    one in net/if_ethersubr.c, which control ipfw filtering of bridged
    and layer-2 packets, they should be updated as well;

  * net.inet.ip.fw.debug should be left alone, it does not do anything

  * maybe net.inet.ip.fw.verbose_limit should be left unsecured as well,
    as i believe there might be cases where you want to change it to
    a different value e.g. under attack.

  * all dyn_* variables should be unsecured, because again you might
    want to tune them dynamically.


To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>