Date: Wed, 21 Mar 2001 15:34:42 -0600 From: Bill Fumerola <billf@mu.org> To: Paul Richards <paul@freebsd-services.co.uk> Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, Paul Richards <paul@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321153442.H2567@elvis.mu.org> In-Reply-To: <3AB91CC0.9F52628A@freebsd-services.co.uk>; from paul@freebsd-services.co.uk on Wed, Mar 21, 2001 at 09:27:28PM %2B0000 References: <89202.985209871@critter> <3AB91CC0.9F52628A@freebsd-services.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 21, 2001 at 09:27:28PM +0000, Paul Richards wrote:
> Configuring any *firewall* without a default deny rule is foolhardy then
> :-)
locking yourself out of a machine miles away from where you are is probably
just as foolhardy.
if your machine could be compromised/attacked within the span of however
long it takes to reload all your rules, thats some seriously large holes you
have.
in any event, when I'm done with the ipfw lists support (aka ipfw rulesets,
I can never decide on what to name things...) you'll be able to setup a
list and then atomically switch to it, avoiding the need for hacks like
flush-resistant rules. I'm still not opposed to flushproof rules, done right,
however.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- fumerola@yahoo-inc.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010321153442.H2567>