From owner-freebsd-hackers  Tue Jan 27 22:20:06 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA00627
          for hackers-outgoing; Tue, 27 Jan 1998 22:20:06 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from oskar.nanoteq.co.za (www.absadirect.co.za [196.37.91.10] (may be forged))
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA00539
          for <hackers@FreeBSD.ORG>; Tue, 27 Jan 1998 22:19:47 -0800 (PST)
          (envelope-from rbezuide@oskar.nanoteq.co.za)
Received: (from rbezuide@localhost)
	by oskar.nanoteq.co.za (8.8.8/8.8.5) id IAA23275;
	Wed, 28 Jan 1998 08:17:50 +0200 (SAT)
From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za>
Message-Id: <199801280617.IAA23275@oskar.nanoteq.co.za>
Subject: Re: ipfw patch
In-Reply-To: <199801280535.VAA29425@austin.polstra.com> from John Polstra at "Jan 27, 98 09:35:40 pm"
To: jdp@polstra.com (John Polstra)
Date: Wed, 28 Jan 1998 08:16:35 +0200 (SAT)
Cc: archie@whistle.com, hackers@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk

> In article <199801280028.QAA18434@bubba.whistle.com>,
> Archie Cobbs  <archie@whistle.com> wrote:
> > 
> > A good idea.. more traditional though would just be to add a flag
> > to ipfw itself, like "-n" or something.
> > 
> > -Archie
> > 
> > alexlh@xs4all.nl writes:
> > > I use ipfw a lot. It's really nice.
> > > 
> > > One thing bothered me though; sometimes there would be a typo in the rules
> > > file, causing ipfw not to finish adding all the rules. This has been a
> > > problem, as most of our servers are located behind a large, locked door
> > > and I usually do things to them over the network.
> > > 
> > > I've patched ipfw so that it's now possible to let it process a ruleset
> > > without actually adding the rules to the kernel. It now checks to see if
> > > the executable is actually named 'ipfw' before the setsockopt() call.
> > > Create a symlink named (for example) testipw pointing to the ipfw
> > > executable, and all will be fine.
> 
> I agree with Archie.  It's best to avoid adding programs that change
> their behavior based on the name used to invoke them.
> 

True ... it should be a flag so that it is optional.  The the case of the
machine being a firewall, you would rather it didn't process any rules
after the incorrect one (the behaviour like it is now) because you might
be skipping a very important deny rule and add other rules that would
make the system less secure.  In such a specific case you would rather
that it skipped all the other rules and just have the default deny at
the end than a false sense of security.  Even though it means that you
must have a console or screen and keyboard connected :)

Reinier


###################################################################
#							          #
#  R.N. Bezuidenhout                  NetSeq Firewall     	  #
#  rbezuide@oskar.nanoteq.co.za	      http://www.nanoteq.com      #  
#								  #
###################################################################