From owner-freebsd-hackers Wed Jun 18 22:43:28 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA07895 for hackers-outgoing; Wed, 18 Jun 1997 22:43:28 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA07890 for ; Wed, 18 Jun 1997 22:43:26 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id WAA07025; Wed, 18 Jun 1997 22:42:55 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma007023; Wed Jun 18 22:42:44 1997 Received: (from archie@localhost) by bubba.whistle.com (8.8.5/8.6.12) id WAA02606; Wed, 18 Jun 1997 22:42:44 -0700 (PDT) From: Archie Cobbs Message-Id: <199706190542.WAA02606@bubba.whistle.com> Subject: Re: Adding a new feature to 2.2 series? In-Reply-To: <199706181926.PAA04006@pandora.hh.kew.com> from Drew Derbyshire at "Jun 18, 97 03:26:15 pm" To: ahd@kew.com (Drew Derbyshire) Date: Wed, 18 Jun 1997 22:42:44 -0700 (PDT) Cc: hackers@FreeBSD.ORG, julian@whistle.com X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > If you're hacking the code, add a wish for the ipfw command line > side, although not for 2.2.x ... > > Consider parsing the port and IP address fields for the contents > of /etc/services, /etc/hosts and /etc/network. I find the requirement > to use numerics to be extremely error prone. I presume this is > currently done because NIS and DNS are not presumed to be available > when ipfw is run and the stock gethostbyname, etc. would attempt > to access these services. DNS/NIS are not required to use /etc/services as far as I know, so that's not the reason.. I was under the impression that this was done for security reasons, i.e., if someone hacks (ie modifies) your /etc/services, they can then render your TCP and UDP packet filtering useless.. Of course, if they can do this, they can probably hack ipfw too .. I agree, at least it should be enablable via a command line option. I'll look at adding this to the patch.. shouldn't be hard. Comments? -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com