From owner-cvs-all Wed Mar 21 13: 7: 5 2001 Delivered-To: cvs-all@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 1B4F537B71A; Wed, 21 Mar 2001 13:06:59 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id CD16681D01; Wed, 21 Mar 2001 15:02:44 -0600 (CST) Date: Wed, 21 Mar 2001 15:02:44 -0600 From: Bill Fumerola To: Paul Richards Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321150244.F2567@elvis.mu.org> References: <200103210819.f2L8JWm19214@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200103210819.f2L8JWm19214@freefall.freebsd.org>; from paul@FreeBSD.org on Wed, Mar 21, 2001 at 12:19:32AM -0800 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 21, 2001 at 12:19:32AM -0800, Paul Richards wrote: > Modified files: > sys/netinet ip_fw.c > Log: > Only flush rules that have a rule number above that set by a new > sysctl, net.inet.ip.fw.permanent_rules. > > This allows you to install rules that are persistent across flushes, > which is very useful if you want a default set of rules that > maintains your access to remote machines while you're reconfiguring > the other rules. > > Reviewed by: Mark Murray Ugh. If you're configuring remote machines with a default deny rule instead of explcitly adding a deny rule you might want to reconsider. Please back this out. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org hint: if you really want to do this, add IP_FW_F_FLUSHPROOF (or whatever) to the flags of struct ip_fw->fw_flg, that would make much more sense. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message