From owner-freebsd-hackers Wed Sep 23 02:35:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA18636 for freebsd-hackers-outgoing; Wed, 23 Sep 1998 02:35:53 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA18616 for ; Wed, 23 Sep 1998 02:35:34 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.9.1/8.9.1/Spinner) with ESMTP id RAA14233; Wed, 23 Sep 1998 17:34:20 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199809230934.RAA14233@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: Studded cc: Drew Baxter , rotel@indigo.ie, FreeBSD Hackers Subject: Re: Packet/traffic shapper ? In-reply-to: Your message of "Wed, 23 Sep 1998 00:37:29 MST." <3608A539.B9BD103E@dal.net> Date: Wed, 23 Sep 1998 17:34:20 +0800 From: Peter Wemm Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Studded wrote: > Drew Baxter wrote: > > > > At 12:49 AM 9/23/98 +0000, Niall Smart wrote: > > > > > >Personally I don't think IPFW_DEFAULT_TO_ACCEPT is a bad idea, once you > > >are sure you have the accept rules necessary to ensure your connectivity > > >to the host you can pop in a deny all rule. This will probably be slower > > >than defaulting to deny though. > > --- > > Hm, isn't default_to_accept still affected by ipfw flush? > > No it's not, that's one of the reasons the option was added. The other reason it's an option is because it's a tradeoff situation. An inclusive filter (ie: only explicitly allow defined packets) is compromised if an accident happens or somebody can make the box fall over and somehow not reload it's filters properly. With an exclusive strategy (eg: ISP, who is in the business of carrying data rather than dropping it), it's beneficial to have it open by default so that specific things can be filtered when and as needed without the risk of accidents closing everything down. Generally, accidently leaving the barn door open and everything running away generally is far worse than having to drive to fix the damn thing. "Generally" is the key. One policy doesn't always fit everybody perfectly, but having it this way seems the lesser of the evils. > Doug Cheers, -Peter -- Peter Wemm Netplex Consulting "No coffee, No workee!" :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message