Date: Wed, 21 Mar 2001 15:02:44 -0600 From: Bill Fumerola <billf@mu.org> To: Paul Richards <paul@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321150244.F2567@elvis.mu.org> In-Reply-To: <200103210819.f2L8JWm19214@freefall.freebsd.org>; from paul@FreeBSD.org on Wed, Mar 21, 2001 at 12:19:32AM -0800 References: <200103210819.f2L8JWm19214@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 21, 2001 at 12:19:32AM -0800, Paul Richards wrote:
> Modified files:
> sys/netinet ip_fw.c
> Log:
> Only flush rules that have a rule number above that set by a new
> sysctl, net.inet.ip.fw.permanent_rules.
>
> This allows you to install rules that are persistent across flushes,
> which is very useful if you want a default set of rules that
> maintains your access to remote machines while you're reconfiguring
> the other rules.
>
> Reviewed by: Mark Murray <markm@FreeBSD.org>
Ugh.
If you're configuring remote machines with a default deny rule instead
of explcitly adding a deny rule you might want to reconsider.
Please back this out.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- fumerola@yahoo-inc.com / billf@FreeBSD.org
hint: if you really want to do this, add IP_FW_F_FLUSHPROOF (or whatever)
to the flags of struct ip_fw->fw_flg, that would make much more sense.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010321150244.F2567>