Date: Sat, 3 Aug 2002 01:51:15 -0700 From: Luigi Rizzo <rizzo@icir.org> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: ipfw@FreeBSD.ORG Subject: Re: CTLFLAG_SECURE patch for ip_fw.c Message-ID: <20020803015114.A94060@iguana.icir.org> In-Reply-To: <20020803082559.GF47529@blossom.cjclark.org>; from crist.clark@attbi.com on Sat, Aug 03, 2002 at 01:25:59AM -0700 References: <20020803082559.GF47529@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, but I have a few comments here:
* ip_fw.c in -current is basically dead, so you can leave it untouched.
* There are two more related variables, one in net/bridge.c and the other
one in net/if_ethersubr.c, which control ipfw filtering of bridged
and layer-2 packets, they should be updated as well;
* net.inet.ip.fw.debug should be left alone, it does not do anything
critical;
* maybe net.inet.ip.fw.verbose_limit should be left unsecured as well,
as i believe there might be cases where you want to change it to
a different value e.g. under attack.
* all dyn_* variables should be unsecured, because again you might
want to tune them dynamically.
thanks
luigi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020803015114.A94060>