Date: Mon, 18 Dec 1995 18:01:27 +0100 From: "Frank ten Wolde" <franky@pinewood.nl> To: Nate Williams <nate@rocky.sri.MT.net> Cc: hackers@FreeBSD.ORG Subject: Re: Order of rules in ip_fw chain Message-ID: <9512181801.ZM8519@pwood1.pinewood.nl> In-Reply-To: Nate Williams <nate@rocky.sri.MT.net> "Re: Order of rules in ip_fw chain" (Dec 15, 9:39) References: <9512151302.ZM27077@pwood1.pinewood.nl> <199512151611.JAA16380@rocky.sri.MT.net> <nate@rocky.sri.MT.net> <9512151720.ZM309@pwood1.pinewood.nl> <199512151639.JAA16535@rocky.sri.MT.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 15, 9:39, Nate Williams wrote: > Subject: Re: Order of rules in ip_fw chain > > > > 2) I noticed that the order in which the fw checks incoming packets is > > > > *not* the same as the order in which the packet rules were added. > > > > IMHO this should be fixed. I have not had the time (yet) to have > > > > a look at the source myself, but will do so in the next few weeks. > > > [ Explanation about priority based rules deleted ] > Finally, while I agree that not allowing the filtering rules is a good > thing, I'm of the opinion that it's much better to allow changing it > without having to reboot the system. I have a pretty good set of rules, > but there are occasions when I need to open up the firewall to 'trusted' > hosts, and I'd rather not bring down my Internet connection to do it. > I think we disagree here, or our needs differ greatly :-) I still think it's better for safety that *if* my Bastion host is compromised (someone evil becomes root) they still cannot flush the fw chain. I accept bringing down the host to single user mode for adding/deleting rules -- after *careful* consideration of the new rules. Should we make the save-fw-chain a configuration option in the kernel? Perhaps we must add a new level to securelevel to allow for secure fw chains *on top of* the very secure mode (e.g., securelevel 3). Maybe we need to re-define securelevel to be a bit-field to enable secure mode for independent sub-systems in the kernel? Would this be too large a deviation from the original 4.4BSD definition? > Nate -Frank -- ---------------------------------------------------------------------- F.W. ten Wolde (PA3FMT) Pinewood Automation B.V. E-mail: franky@pinewood.nl Kluyverweg 2a Phone: +31-15 2682543 2629 HT Delft
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9512181801.ZM8519>