Date: Wed, 21 Mar 2001 04:34:08 -0500 From: Daniel Hagan <dhagan@colltech.com> To: Paul Richards <paul@freebsd-services.co.uk> Cc: Mark Murray <mark@grondar.za>, freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules Message-ID: <3AB87590.FA684AE7@colltech.com> References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za> <3AB85B6F.32E9EE7C@freebsd-services.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> It sets a rule number below which rules will not be flushed. I've been > using it to install permanent rules, like SSH access from the office to > remote servers, so I can flush the majority of rules but keep those that > are essential to allow me to maintain connectivity to the box. I'm a little concerned that this overrides the meaning of the rule numbers. Now they will define what order rules are processed and whether they can be flushed. Wouldn't it be more orthogonal to add a flag to each rule (like the log keyword) to mark permanent rules? I don't know anything about the ipfw code, so maybe this is impractical (and I'm sure it would require more work), but it sounds worth it to me. I'd certainly love to have this feature, but I think it would be more intuitive & useful as a per rule flag. If this matter is going to be discussed at length, it should probably move to -security and/or -ipfw. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB87590.FA684AE7>