Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Jul 1999 20:48:28 -0700 (PDT)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        "Brian F. Feldman" <green@FreeBSD.ORG>
Cc:        Joe Greco <jgreco@ns.sol.net>, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: securelevel and ipfw zero
Message-ID:  <199907270348.UAA49943@apollo.backplane.com>
References:   <Pine.BSF.4.10.9907262322120.35843-100000@janus.syracuse.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
:
:> 
:> :That doesn't mean we shouldn't allow people to have an unsophisticated setup,
:> :just because a sophisticated one is available. It would be useful to have
:> :a per-firewall-rule counter, decrement it on each match if logging and
:> :set, and be able to reset to something higher.
:> :
:> : Brian Fundakowski Feldman      _ __ ___ ____  ___ ___ ___  
:> 
:>     There may be some confusion here.  I am advocating that we *allow* the
:>     zeroing of counters at secure level 3.
:
:Which is what I am advocating against.

    Let me put it a different way:

    ipfw allows you to clear counters.  It is a feature that already exists.

    However, it does not allow you to do it if you are sitting at secure
    level 3.

    Why not?  I can't think of any good reason why clearing the counters 
    should be disallowed when sitting at a higher secure level.  The counters
    are nothing more then statistics.  Clearing statistics is not a security
    threat.

    The discussion should simply be about that.  Not all this garbage about
    adding new features.  There's a feature that does not seem to impact
    security, secure level disallows it, why?

					-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?199907270348.UAA49943>