From owner-freebsd-security  Tue Feb  2 19:52:21 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA04993
          for freebsd-security-outgoing; Tue, 2 Feb 1999 19:52:21 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA04983;
          Tue, 2 Feb 1999 19:52:19 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.2/8.9.1) id TAA42425;
	Tue, 2 Feb 1999 19:52:13 -0800 (PST)
	(envelope-from dillon)
Date: Tue, 2 Feb 1999 19:52:13 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199902030352.TAA42425@apollo.backplane.com>
To: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
Cc: "Jonathan M. Bresler" <jmb@FreeBSD.ORG>,
        woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG
Subject: Re: tcpdump 
References:  <9575.918011566@zippy.cdrom.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

:OK, time to raise this topic again.  What to people think about
:enabling bpfilter by default in GENERIC?
:
:And before everyone screams "That would not be BSD!" let me just
:note that NetBSD and probably OpenBSD (haven't looked) already do
:this.
:
:- Jordan

    Well, not having bpfilter enabled by default doesn't 
    really enhance security since the kernel module loader
    *is* enabled by default.   Still, perhaps it would be
    a good idea to lockout new open()'s on bpf when the
    secure level is > 0.  The module loader already disables
    itself when securelevel > 0.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message