Date: Wed, 21 Mar 2001 09:49:30 +0000 From: Paul Richards <paul@freebsd-services.co.uk> To: Daniel Hagan <dhagan@colltech.com> Cc: Mark Murray <mark@grondar.za>, freebsd-audit@FreeBSD.ORG Subject: Re: ipfw permanent rules Message-ID: <3AB8792A.19308025@freebsd-services.co.uk> References: <3AB857E7.D4CEBD40@freebsd-services.co.uk> <200103210738.f2L7cof42204@gratis.grondar.za> <3AB85B6F.32E9EE7C@freebsd-services.co.uk> <3AB87590.FA684AE7@colltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Hagan wrote: > > > It sets a rule number below which rules will not be flushed. I've been > > using it to install permanent rules, like SSH access from the office to > > remote servers, so I can flush the majority of rules but keep those that > > are essential to allow me to maintain connectivity to the box. > > I'm a little concerned that this overrides the meaning of the rule > numbers. Now they will define what order rules are processed and > whether they can be flushed. Wouldn't it be more orthogonal to add a > flag to each rule (like the log keyword) to mark permanent rules? I > don't know anything about the ipfw code, so maybe this is impractical > (and I'm sure it would require more work), but it sounds worth it to me. The order of rules processing isn't affected unless you enable this feature. If you set the rule number above 0 then after a flush all the presistent rules will be at the front of the chain so in that situation it's possible for the rule order to get changed when you add back flushed rules but if you're using this feature then you're going to have your persistent rules together at the bottom of the number range anyway so the problem shouldn't arise. I looked at making it a per-rule setting but the flags field looks full so it would require extending the struct and modifying the userland parser. That was too much of a change for what I needed but I might take a look at extending the functionality later. Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AB8792A.19308025>