From owner-freebsd-hackers Mon Jul 26 20:51:29 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id 45DF1151CC; Mon, 26 Jul 1999 20:51:26 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id UAA49943; Mon, 26 Jul 1999 20:48:28 -0700 (PDT) (envelope-from dillon) Date: Mon, 26 Jul 1999 20:48:28 -0700 (PDT) From: Matthew Dillon Message-Id: <199907270348.UAA49943@apollo.backplane.com> To: "Brian F. Feldman" Cc: Joe Greco , hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: securelevel and ipfw zero References: Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG : :> :> :That doesn't mean we shouldn't allow people to have an unsophisticated setup, :> :just because a sophisticated one is available. It would be useful to have :> :a per-firewall-rule counter, decrement it on each match if logging and :> :set, and be able to reset to something higher. :> : :> : Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___ :> :> There may be some confusion here. I am advocating that we *allow* the :> zeroing of counters at secure level 3. : :Which is what I am advocating against. Let me put it a different way: ipfw allows you to clear counters. It is a feature that already exists. However, it does not allow you to do it if you are sitting at secure level 3. Why not? I can't think of any good reason why clearing the counters should be disallowed when sitting at a higher secure level. The counters are nothing more then statistics. Clearing statistics is not a security threat. The discussion should simply be about that. Not all this garbage about adding new features. There's a feature that does not seem to impact security, secure level disallows it, why? -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message