From owner-freebsd-ipfw Sat Aug 3 2: 9:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B20AA37B645; Sat, 3 Aug 2002 02:09:34 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1C7F44031; Sat, 3 Aug 2002 02:03:12 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g738pFX94144; Sat, 3 Aug 2002 01:51:15 -0700 (PDT) (envelope-from rizzo) Date: Sat, 3 Aug 2002 01:51:15 -0700 From: Luigi Rizzo To: "Crist J. Clark" Cc: ipfw@FreeBSD.ORG Subject: Re: CTLFLAG_SECURE patch for ip_fw.c Message-ID: <20020803015114.A94060@iguana.icir.org> References: <20020803082559.GF47529@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020803082559.GF47529@blossom.cjclark.org>; from crist.clark@attbi.com on Sat, Aug 03, 2002 at 01:25:59AM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks, but I have a few comments here: * ip_fw.c in -current is basically dead, so you can leave it untouched. * There are two more related variables, one in net/bridge.c and the other one in net/if_ethersubr.c, which control ipfw filtering of bridged and layer-2 packets, they should be updated as well; * net.inet.ip.fw.debug should be left alone, it does not do anything critical; * maybe net.inet.ip.fw.verbose_limit should be left unsecured as well, as i believe there might be cases where you want to change it to a different value e.g. under attack. * all dyn_* variables should be unsecured, because again you might want to tune them dynamically. thanks luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message