Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 Jun 1997 22:42:44 -0700 (PDT)
From:      Archie Cobbs <archie@whistle.com>
To:        ahd@kew.com (Drew Derbyshire)
Cc:        hackers@FreeBSD.ORG, julian@whistle.com
Subject:   Re: Adding a new feature to 2.2 series?
Message-ID:  <199706190542.WAA02606@bubba.whistle.com>
In-Reply-To: <199706181926.PAA04006@pandora.hh.kew.com> from Drew Derbyshire at "Jun 18, 97 03:26:15 pm"

next in thread | previous in thread | raw e-mail | index | archive | help

> If you're hacking the code, add a wish for the ipfw command line
> side, although not for 2.2.x ...
> 
> Consider parsing the port and IP address fields for the contents
> of /etc/services, /etc/hosts and /etc/network.  I find the requirement
> to use numerics to be extremely error prone.  I presume this is
> currently done because NIS and DNS are not presumed to be available
> when ipfw is run and the stock gethostbyname, etc. would attempt
> to access these services.

DNS/NIS are not required to use /etc/services as far as I know,
so that's not the reason..

I was under the impression that this was done for security reasons,
i.e., if someone hacks (ie modifies) your /etc/services, they can
then render your TCP and UDP packet filtering useless..

Of course, if they can do this, they can probably hack ipfw too ..

I agree, at least it should be enablable via a command line option.
I'll look at adding this to the patch.. shouldn't be hard. Comments?

-Archie

___________________________________________________________________________
Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706190542.WAA02606>