Date: Thu, 13 Jun 1996 12:34:18 -0500 From: Alex Nash <alex@fa.tdktca.com> To: Gary Palmer <gpalmer@FreeBSD.org> Cc: Ollivier Robert <roberto@keltia.freenix.fr>, "FreeBSD Current Users' list" <freebsd-current@FreeBSD.org> Subject: Re: #include opt_ipfw.h problem for lkm Message-ID: <31C0511A.279A7B71@fa.tdktca.com> References: <21410.834673943@palmer.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Gary Palmer wrote: > On this subject, does anyone object to my REMOVAL of the option to > have IPFW as an LKM? Having it as an LKM is (IMHO) stupid ... all a > person breaking in needs to do to throw security WIDE open is > modunload the module, and then the machine will fall back to being a > simple router. Not my idea of a secure option. > > Will anyone seriously miss it if I remove the lkm? I know at least one person who will... The following exchange resulted from PR 1192: From: Garrett Wollman To: nash@mcs.com Cc: FreeBSD-gnats-submit@freebsd.org, phk@freebsd.org Subject: kern/1192: Kernel IPFW Date: Sun, 12 May 1996 16:23:32 -0400 < said: > Moved the majority of code out of the ipfw_load (module load) > routine and instead issue a call to ipfw_init which does the same > thing (sans the splnet() issued at the beginning of ipfw_load). Actually, I would very much like to get rid of the dynamically-loadable IPFW module entirely. If you are running any sort of a reasonable router configuration (i.e., with multiple cards from the same vendor), you will have to reconfigure the kernel anyway, and I think there are probably good security reasons for wanting in that way. (What if the LKM fails to load because you are out of disk space in /tmp? Oops.) Perhaps more significantly, it puts extra hair in the IP input and output paths that doesn't need to be there in the common case (workstation or non-firewalling router), so I'd like to see it removed. (And yes, I do remember that I'm the one who suggested making it into an LKM in the first place!) -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant From: Poul-Henning Kamp To: Garrett Wollman Cc: nash@mcs.com, FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/1192: Kernel IPFW Date: Sun, 12 May 1996 20:57:43 +0000 > Actually, I would very much like to get rid of the > dynamically-loadable IPFW module entirely. I think that this makes sense from a security point of view, but people use it for a lot of things besides security. The hooks are very general and can be used for a bunch of other things as well, so I think this is all in all, not a good idea. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so. Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?31C0511A.279A7B71>