Date: Thu, 4 Feb 1999 14:55:25 -0500 (EST) From: mike@seidata.com To: James Wyatt <jwyatt@RWSystems.net> Cc: Sheldon Hearn <axl@iafrica.com>, Chris Larsen <vader@vader.dk>, security@FreeBSD.ORG Subject: Re: Enabling bpf device in kernel (was: Re: tcpdump) Message-ID: <Pine.BSF.4.05.9902041446380.15864-100000@ns1.seidata.com> In-Reply-To: <Pine.BSF.4.05.9902040837160.14557-100000@kasie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 Feb 1999, James Wyatt wrote: > While I understand your point, it smacks of elitism. Many of the admins > clue-level started at the lame-level hacking on their own machine. Some No, it doesn't 'smack[..] of elitism', it makes a very good point: many of the users of FreeBSD (or any OS) will have to clue what bpf is - or how to disable it if they do not want it running. It is not wise to put tools in the hands or people without their knowing what those tools are or how to use them - especially something with bpf's implications. As it is now, one must research bpf and LEARN something before mindlessly enabling it... the approach you suggest removes all effort from the process. As for a GENERIC kernel that has numerous non-needed options enabled and is overly-bloated, might I suggest http://www.microsoft.com. The main argument I have heard for including bpf is, 'it will reduce kernel compile time'. Bologna. I don't want bpf running on my production Internet machines, so I will be compiling far more just to remove the bpf support. The reduced or increased kernel compile time is not the issue, anyway... since anyone who has used FreeBSD (or any Unix) for long at all will be re-compiling their kernel. It is no harder to add 'pseudo-device bpf 2' than it is to remove 'pseudo-device bpf 2'. The issue is remembering what GENERIC is for. It's not meant to hold every possible kernel option under then sun... Heck, why not just mv LINT GENERIC? > us - especially if they read the lists and a doc or two. Adding BPF isn't > like putting the RedHat CD on my Multia and seeing it install NFS and Actually, it's heading down the same slippery slope... enable as much by default as possible so the unknowing user can utilize as many utilities as possible... Down side? Loss of efficiency and lack of security. -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9902041446380.15864-100000>