From owner-cvs-src Fri Feb 21 15: 2:18 2003 Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B07FB37B401; Fri, 21 Feb 2003 15:02:15 -0800 (PST) Received: from smtp1.server.rpi.edu (smtp1.server.rpi.edu [128.113.2.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id C158643F93; Fri, 21 Feb 2003 15:02:14 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp1.server.rpi.edu (8.12.7/8.12.7) with ESMTP id h1LN2D3q027933; Fri, 21 Feb 2003 18:02:13 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <4B77CF28-45C2-11D7-9535-000393754B1C@vangelderen.org> References: <4B77CF28-45C2-11D7-9535-000393754B1C@vangelderen.org> Date: Fri, 21 Feb 2003 18:02:12 -0500 To: "Jeroen C. van Gelderen" , Robert Watson From: Garance A Drosihn Subject: Re: cvs commit: src/sys/netinet in_pcb.c (priv ports) Cc: "Crist J. Clark" , src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-RPI-Spam-Score: -1.1 () IN_REP_TO,REFERENCES,SIGNATURE_SHORT_DENSE,SPAM_PHRASE_01_02 X-Scanned-By: MIMEDefang 2.28 Sender: owner-cvs-src@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 6:31 PM +0100 2/21/03, Jeroen C. van Gelderen wrote: > >In the meantime however, allowing an extension of the original, >overly restrictive feature provides some relief. I do think the change as done is a fine change. I would not even suggest that it be labelled "experimental". >For a large class of well-designed network protocols (including >SSH) the associated risk is limited to mere Denial of Service; >Annoying but preferred over a potential root compromise. The one thing we need to make clear is that the admin is not opening up "just SSH -- which we can trust", they are going to open up a range of ports. I think it's good to give them a way to do that, as long as it is clearly documented what they are doing. We should not say "just type in this command to open up FTP!", when the command is opening up more than FTP. However, I have a vague feeling that I am not understanding this update quite right, as I certainly have been confused by some of the replies in this thread. I should look at it more before I say something profoundly stupid about it. >And given that they are optional *and* disabled by default, the >new sysctls fit the FreeBSD mantra of "providing tools, not policy". I do think it's a useful change. It's just not useful-enough that I (personally) would use it, even though I would take advantage of something a little more flexible. I do understand that "more flexible" implies "more work" though. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-src" in the body of the message