Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Aug 2002 01:51:15 -0700
From:      Luigi Rizzo <rizzo@icir.org>
To:        "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc:        ipfw@FreeBSD.ORG
Subject:   Re: CTLFLAG_SECURE patch for ip_fw.c
Message-ID:  <20020803015114.A94060@iguana.icir.org>
In-Reply-To: <20020803082559.GF47529@blossom.cjclark.org>; from crist.clark@attbi.com on Sat, Aug 03, 2002 at 01:25:59AM -0700
References:  <20020803082559.GF47529@blossom.cjclark.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Thanks, but I have a few comments here:

  * ip_fw.c in -current is basically dead, so you can leave it untouched.

  * There are two more related variables, one in net/bridge.c and the other
    one in net/if_ethersubr.c, which control ipfw filtering of bridged
    and layer-2 packets, they should be updated as well;

  * net.inet.ip.fw.debug should be left alone, it does not do anything
    critical;

  * maybe net.inet.ip.fw.verbose_limit should be left unsecured as well,
    as i believe there might be cases where you want to change it to
    a different value e.g. under attack.

  * all dyn_* variables should be unsecured, because again you might
    want to tune them dynamically.

	thanks
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20020803015114.A94060>