Date: Sun, 19 Aug 2007 18:18:51 +0200 From: Max Laier <max@love2party.net> To: "Dmitry Pryanishnikov" <lynx.ripe@gmail.com> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, "Christian S.J. Peron" <csjp@freebsd.org>, cvs-all@freebsd.org Subject: Re: FreeBSD Mail Archives Message-ID: <200708191819.10716.max@love2party.net> In-Reply-To: <754a9c140708190854vde1ca31n8ec1e9c5fbc9cbb3@mail.gmail.com> References: <46C861BA.4000708@gmail.com> <754a9c140708190854vde1ca31n8ec1e9c5fbc9cbb3@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sunday 19 August 2007, Dmitry Pryanishnikov wrote: > Hello! > > > Date: Sat, 4 Aug 2007 20:35:42 +0000 (UTC) > > From: "Christian S.J. Peron" <csjp@FreeBSD.org> > > To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, > > cvs-all@FreeBSD.org Subject: cvs commit: src/sbin/ipfw ipfw.8 > > Message-ID: <200708042035.l74KZg6K061244@repoman.freebsd.org> > > csjp 2007-08-04 20:35:42 UTC > > > > FreeBSD src repository > > > > Modified files: > > sbin/ipfw ipfw.8 > > Log: > > Remove references to mpsafenet. This option no longer exists. > > I think this commit may create false feeling that using ipfw features > such as gid, jail, uid and dummynet for IPv6 are now available for > general use. However, I don't see commit messages for the locking fixes > which would make these options safe. If I don't miss anything here, > removal of the debug.mpsafenet makes all these ipfw uses always > dangerous, so this fact should be mentioned in BUGS section of the > manpage (until someone actually fixes those uses). As discussed before the removal of mpsafenet, the LOR reported for uid, gid and jail rules is a false positive! There is no danger (of deadlock) from using these rules. I'd still discourage the use of these options as they don't always do what people expect. The right sollution is a MAC based filter in the socket layer. Although it does !sometimes! make sense to drop/accept packets early. Esp. with protocols like ftp or sip it can be helpful, but one should still be aware of the implications. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGyG1+XyyEoT62BG0RAliBAJ4vR1EOP4QnHBCTh2cyHchUqW9sbACeJUEx 3woywfOIS0XrLk8AHi6ZPec= =D/eF -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708191819.10716.max>