Date: Tue, 19 Dec 1995 09:40:21 +0100 From: Poul-Henning Kamp <phk@critter.tfs.com> To: Nate Williams <nate@rocky.sri.MT.net> Cc: "Frank ten Wolde" <franky@pinewood.nl>, hackers@FreeBSD.ORG Subject: Re: Order of rules in ip_fw chain Message-ID: <24125.819362421@critter.tfs.com> In-Reply-To: Your message of "Mon, 18 Dec 1995 10:11:34 MST." <199512181711.KAA23836@rocky.sri.MT.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I think we disagree here, or our needs differ greatly :-) I still think > > it's better for safety that *if* my Bastion host is compromised (someone > > evil becomes root) they still cannot flush the fw chain. > > Agreed. My statement was made to say that I think we need to have more > security levels than the current version, so we can still have a secure > system and *still* allow modifications of the ipfw chain. It doesn't > have to be an all or nothing affair. I think having one global secure-level, and one level for each "feature" to override: This could for instance be done like this: sysctl -w kern.ipfw.securelevel=1 (if it's zero, the kern.securelevel decides.) sysctl -w kern.securelevel=2 -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24125.819362421>