From owner-freebsd-hackers  Thu Apr  3 18:43:58 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id SAA09308
          for hackers-outgoing; Thu, 3 Apr 1997 18:43:58 -0800 (PST)
Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA09284
          for <hackers@freebsd.org>; Thu, 3 Apr 1997 18:43:50 -0800 (PST)
Received: from zen.nash.org (localhost [127.0.0.1]) by zen.nash.org (8.8.5/8.6.12) with SMTP id UAA00446; Thu, 3 Apr 1997 20:42:57 -0600 (CST)
Message-ID: <33446AB1.41C67EA6@mcs.com>
Date: Thu, 03 Apr 1997 20:42:57 -0600
From: Alex Nash <nash@mcs.com>
X-Mailer: Mozilla 3.01Gold (X11; I; FreeBSD 2.2-RELEASE i386)
MIME-Version: 1.0
To: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de>
CC: hackers@freebsd.org, avalon@coombs.anu.edu.au
Subject: Re: securelevel & IP filter
References: <199704031317.FAA21733@freefall.freebsd.org> <19970403233738.KY42145@uriah.heep.sax.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

J Wunsch wrote:
>
> As Darren Reed wrote:
> 
> > It has been suggested that IP Filter disallow changes to filter rules if
> > securelevel is set to some level...(I think 3 was the suggestion).
> 
> I personally think securelevel 2 would be sufficient.  It blocks
> already enough things, like running an Xserver :).
> 
> But the most important is that you make this consistent throughout all
> BSDs, including BSD/OS, if possible.

There's some (albeit arbitrary) precedence for using 3 already in ipfw.
The main reason 2 was avoided was principle of least surprise.

Alex