Date: Mon, 26 Jul 1999 20:48:28 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: "Brian F. Feldman" <green@FreeBSD.ORG> Cc: Joe Greco <jgreco@ns.sol.net>, hackers@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: securelevel and ipfw zero Message-ID: <199907270348.UAA49943@apollo.backplane.com> References: <Pine.BSF.4.10.9907262322120.35843-100000@janus.syracuse.net>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:>
:> :That doesn't mean we shouldn't allow people to have an unsophisticated setup,
:> :just because a sophisticated one is available. It would be useful to have
:> :a per-firewall-rule counter, decrement it on each match if logging and
:> :set, and be able to reset to something higher.
:> :
:> : Brian Fundakowski Feldman _ __ ___ ____ ___ ___ ___
:>
:> There may be some confusion here. I am advocating that we *allow* the
:> zeroing of counters at secure level 3.
:
:Which is what I am advocating against.
Let me put it a different way:
ipfw allows you to clear counters. It is a feature that already exists.
However, it does not allow you to do it if you are sitting at secure
level 3.
Why not? I can't think of any good reason why clearing the counters
should be disallowed when sitting at a higher secure level. The counters
are nothing more then statistics. Clearing statistics is not a security
threat.
The discussion should simply be about that. Not all this garbage about
adding new features. There's a feature that does not seem to impact
security, secure level disallows it, why?
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907270348.UAA49943>