From owner-freebsd-hackers Mon Dec 18 09:04:25 1995 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id JAA07046 for hackers-outgoing; Mon, 18 Dec 1995 09:04:25 -0800 (PST) Received: from gw.pinewood.nl (gw.pinewood.nl [192.31.139.9]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id JAA07041 for ; Mon, 18 Dec 1995 09:04:19 -0800 (PST) Received: (from smap@localhost) by gw.pinewood.nl (8.6.12/8.6.12) id SAA03486; Mon, 18 Dec 1995 18:04:18 +0100 Received: from pwood1.pinewood.nl(192.168.1.10) by gw.pinewood.nl via smap (V1.3) id sma003484; Mon Dec 18 18:03:55 1995 Received: (from franky@localhost) by pwood1.pinewood.nl (8.6.12/8.6.12) id SAA08521; Mon, 18 Dec 1995 18:01:27 +0100 From: "Frank ten Wolde" Message-Id: <9512181801.ZM8519@pwood1.pinewood.nl> Date: Mon, 18 Dec 1995 18:01:27 +0100 In-Reply-To: Nate Williams "Re: Order of rules in ip_fw chain" (Dec 15, 9:39) References: <9512151302.ZM27077@pwood1.pinewood.nl> <199512151611.JAA16380@rocky.sri.MT.net> <9512151720.ZM309@pwood1.pinewood.nl> <199512151639.JAA16535@rocky.sri.MT.net> X-Face: 'BsFf8'k.q?J#?|$D*,)/?sRB{woUK&9\5K{ERmT;VTSyNLBb?muLf>b:Pt&VTDw8YCaC]6 C!MRSMr5UNjZLa]fi? X-Mailer: Z-Mail (3.2.1 10oct95) To: Nate Williams Subject: Re: Order of rules in ip_fw chain Cc: hackers@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-hackers@FreeBSD.ORG Precedence: bulk On Dec 15, 9:39, Nate Williams wrote: > Subject: Re: Order of rules in ip_fw chain > > > > 2) I noticed that the order in which the fw checks incoming packets is > > > > *not* the same as the order in which the packet rules were added. > > > > IMHO this should be fixed. I have not had the time (yet) to have > > > > a look at the source myself, but will do so in the next few weeks. > > > [ Explanation about priority based rules deleted ] > Finally, while I agree that not allowing the filtering rules is a good > thing, I'm of the opinion that it's much better to allow changing it > without having to reboot the system. I have a pretty good set of rules, > but there are occasions when I need to open up the firewall to 'trusted' > hosts, and I'd rather not bring down my Internet connection to do it. > I think we disagree here, or our needs differ greatly :-) I still think it's better for safety that *if* my Bastion host is compromised (someone evil becomes root) they still cannot flush the fw chain. I accept bringing down the host to single user mode for adding/deleting rules -- after *careful* consideration of the new rules. Should we make the save-fw-chain a configuration option in the kernel? Perhaps we must add a new level to securelevel to allow for secure fw chains *on top of* the very secure mode (e.g., securelevel 3). Maybe we need to re-define securelevel to be a bit-field to enable secure mode for independent sub-systems in the kernel? Would this be too large a deviation from the original 4.4BSD definition? > Nate -Frank -- ---------------------------------------------------------------------- F.W. ten Wolde (PA3FMT) Pinewood Automation B.V. E-mail: franky@pinewood.nl Kluyverweg 2a Phone: +31-15 2682543 2629 HT Delft