From owner-freebsd-security  Sat Apr 18 09:15:39 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA05768
          for freebsd-security-outgoing; Sat, 18 Apr 1998 09:15:39 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from uriela.in-berlin.de (uriela.in-berlin.de [192.109.42.147])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA05736
          for <freebsd-security@FreeBSD.ORG>; Sat, 18 Apr 1998 16:15:35 GMT
          (envelope-from nortobor.nostromo.in-berlin.de!ripley@never.mind.de)
Received: by uriela.in-berlin.de (/\oo/\ Smail3.1.29.1 #29.8)
	from never.never.mind.de (193.101.72.4)  with smtp
	id m0yQaGs-000LuHC; Sat, 18 Apr 98 18:15 MET DST
Received: by never.never.mind.de (linux Smail3.1.28.1 #1)
	id m0yQaGr-000ExzC; Sat, 18 Apr 98 18:15 MET DST
Received: (from ripley@localhost)
	by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id WAA06547;
	Fri, 17 Apr 1998 22:47:17 +0200 (CEST)
	(envelope-from ripley)
Message-ID: <19980417224716.41173@nostromo.in-berlin.de>
Date: Fri, 17 Apr 1998 22:47:16 +0200
From: "H. Eckert" <ripley@nostromo.in-berlin.de>
To: freebsd-security@FreeBSD.ORG
Subject: Re: kernel permissions
References: <199804170519.WAA12540@burka.rdy.com> <Pine.BSF.3.96.980417013537.8952E-100000@trojanhorse.pr.watson.org> <19980417105557.59439@deepo.prosa.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.84e
In-Reply-To: <19980417105557.59439@deepo.prosa.dk>; from Philippe Regnauld on Fri, Apr 17, 1998 at 10:55:57AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Fri, Apr 17, 1998 at 10:55:57AM +0200, Philippe Regnauld wrote:
> 	Suggestion:  how difficult would it be to have ipfw(8) respect
> 	the securelevel to, for example, refuse to flush / alter
> 	the ipfw list ?
> 
> 	i.e.: all mods have to be tested before the securelevel is raised,
> 	and once it is, only rebooting into single user on the console
> 	allows you to change the filters.

Actually I like the dynamically adaptable ipfw scheme a lot more
than ipfilterd.conf on an Irix machine we have at work.  This is
a matter of flexibility.

> 	We need write-protect notch on the hard-disks :-)

There have been times where harddrives had this.  But somehow a
real switch seems to be out of fashion.  ZipDisks have only the
software write-protection...
Since I started using 90mm floppies I trained myself to protect
them immediately when ejecting a disk I don't want to write to
again a few moments later.

Greetings,
				Ripley
-- 
http://www.in-berlin.de/User/nostromo/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message