From owner-freebsd-security  Fri Mar 28 14:51:44 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id OAA09169
          for security-outgoing; Fri, 28 Mar 1997 14:51:44 -0800 (PST)
Received: from cold.org (cold.org [206.81.134.103])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA09164
          for <freebsd-security@FreeBSD.ORG>; Fri, 28 Mar 1997 14:51:41 -0800 (PST)
Received: from localhost (brandon@localhost) by cold.org (8.8.5/8.8.3) with SMTP id PAA10343; Fri, 28 Mar 1997 15:51:36 -0700 (MST)
Date: Fri, 28 Mar 1997 15:51:36 -0700 (MST)
From: Brandon Gillespie <brandon@cold.org>
To: Marc Slemko <marcs@znep.com>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: alternate approach (Re: Privileged ports...)
In-Reply-To: <Pine.BSF.3.95.970328121418.22468C-100000@alive.znep.com>
Message-ID: <Pine.NEB.3.95.970328155019.10341B-100000@cold.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 28 Mar 1997, Marc Slemko wrote:
> That is one possible solution, but I don't think there is any point in
> adding such a specific config file when so many other things could benefit
> from similar functionality.  It is a dupe of sysctl in a lot of ways, so
> it may be an ide ato look at extending sysctl to handle it nicely.
> 
> You need some interface to the kernel; some program like ipfw that goes
> through the file and reads the rules and sets them up in the kernel.  This
> program could be used for a lot of things; a good project would be
> extending sysctl to allow for less rigidly defined variables.  eg. can
> define ranges, variables that don't show up in a list until changed,
> having sysctl being able to read variables from a file (although this can
> be done now with a script, just isn't as nice...
> 
> To summarize: good idea, lots of things like that, but as I have been
> saying all along we need a better generalized interface to such things
> because it makes little sense to keep adding little control programs here
> and there.  Perhaps someday....

It would be easy enough to have /etc/netstart simply chew on the port
config file and feed it to sysctl.  One reason I like the idea of having a
file for the config is for the visual aspect.  Having a bunch of vars
defined in /etc/sysconfig is OK, but not as visual as being able to map
everything out through a whole file.. *shrug*