From owner-freebsd-security  Tue Feb  2 20:35:54 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA12960
          for freebsd-security-outgoing; Tue, 2 Feb 1999 20:35:54 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA12947;
          Tue, 2 Feb 1999 20:35:52 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id XAA25416;
	Tue, 2 Feb 1999 23:35:48 -0500 (EST)
Date: Tue, 2 Feb 1999 23:35:47 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
cc: "Jonathan M. Bresler" <jmb@FreeBSD.ORG>,
        woodford@cc181716-a.hwrd1.md.home.com, security@FreeBSD.ORG
Subject: Re: tcpdump 
In-Reply-To: <9575.918011566@zippy.cdrom.com>
Message-ID: <Pine.BSF.3.96.990202233308.21838C-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 2 Feb 1999, Jordan K. Hubbard wrote:

> OK, time to raise this topic again.  What to people think about
> enabling bpfilter by default in GENERIC?
> 
> And before everyone screams "That would not be BSD!" let me just
> note that NetBSD and probably OpenBSD (haven't looked) already do
> this.

I'd love to see this.  This would enable applications like DHCP out of the
box, which is probably desirable from a notebook perspective.

As Matt points out, the security limitations are not very clear: the
securelevel code generally requires a lot of modifications to the base
system, so my temptation is to ignore the issue, but create a securelevel
man page that discusses "things to do in making a securelevel-friendly
system", and add to it: disable bpf.

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message