From owner-freebsd-net Mon Oct 26 22:43:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA17366 for freebsd-net-outgoing; Mon, 26 Oct 1998 22:43:13 -0800 (PST) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA17361 for ; Mon, 26 Oct 1998 22:43:11 -0800 (PST) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id WAA10438 for freebsd-net@freebsd.org; Mon, 26 Oct 1998 22:41:48 -0800 (PST) Message-ID: <19981026224146.A9124@best.com> Date: Mon, 26 Oct 1998 22:41:46 -0800 From: "Jan B. Koum " To: freebsd-net@FreeBSD.ORG Subject: tcp resets with ipfw Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, It will really be sad when someday someone with root access to FreeBSD box does (either accidently or on purpose): # ipfw add 1 reset tcp from any to any While one might argue this is equivalent to doing "rm -rf /*", many people alias rm to rm -i. Would it make sence to have ipfw code check to make sure people don't take down the network by making a typo or some such? If so, how would we do that? I like the way Cisco routers do: This may severely impact network performance. Continue? [confirm] But ipfw has to be non interactive (sh /etc/rc.firewall). On the other hand, maybe when someone is about to take down their network it would make sence to be interactive to make sure they know what they are doing? I guess this is going all the way back to "Unix lets you do stupid things - else it wouldn't let you do smart things" or some such saying. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message