Date: Sun, 19 Aug 2007 18:18:51 +0200 From: Max Laier <max@love2party.net> To: "Dmitry Pryanishnikov" <lynx.ripe@gmail.com> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, "Christian S.J. Peron" <csjp@freebsd.org>, cvs-all@freebsd.org Subject: Re: FreeBSD Mail Archives Message-ID: <200708191819.10716.max@love2party.net> In-Reply-To: <754a9c140708190854vde1ca31n8ec1e9c5fbc9cbb3@mail.gmail.com> References: <46C861BA.4000708@gmail.com> <754a9c140708190854vde1ca31n8ec1e9c5fbc9cbb3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart47503197.B6qlqSAryW Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 19 August 2007, Dmitry Pryanishnikov wrote: > Hello! > > > Date: Sat, 4 Aug 2007 20:35:42 +0000 (UTC) > > From: "Christian S.J. Peron" <csjp@FreeBSD.org> > > To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, > > cvs-all@FreeBSD.org Subject: cvs commit: src/sbin/ipfw ipfw.8 > > Message-ID: <200708042035.l74KZg6K061244@repoman.freebsd.org> > > csjp 2007-08-04 20:35:42 UTC > > > > FreeBSD src repository > > > > Modified files: > > sbin/ipfw ipfw.8 > > Log: > > Remove references to mpsafenet. This option no longer exists. > > I think this commit may create false feeling that using ipfw features > such as gid, jail, uid and dummynet for IPv6 are now available for > general use. However, I don't see commit messages for the locking fixes > which would make these options safe. If I don't miss anything here, > removal of the debug.mpsafenet makes all these ipfw uses always > dangerous, so this fact should be mentioned in BUGS section of the > manpage (until someone actually fixes those uses). As discussed before the removal of mpsafenet, the LOR reported for uid,=20 gid and jail rules is a false positive! There is no danger (of deadlock)=20 from using these rules. I'd still discourage the use of these options as they don't always do what= =20 people expect. The right sollution is a MAC based filter in the socket=20 layer. Although it does !sometimes! make sense to drop/accept packets=20 early. Esp. with protocols like ftp or sip it can be helpful, but one=20 should still be aware of the implications. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart47503197.B6qlqSAryW Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGyG1+XyyEoT62BG0RAliBAJ4vR1EOP4QnHBCTh2cyHchUqW9sbACeJUEx 3woywfOIS0XrLk8AHi6ZPec= =D/eF -----END PGP SIGNATURE----- --nextPart47503197.B6qlqSAryW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708191819.10716.max>