From owner-freebsd-current  Mon Feb 26 06:06:11 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id GAA20373
          for current-outgoing; Mon, 26 Feb 1996 06:06:11 -0800 (PST)
Received: from asstdc.scgt.oz.au (root@asstdc.scgt.oz.au [202.14.234.65])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA20368
          Mon, 26 Feb 1996 06:06:08 -0800 (PST)
Received: (from imb@localhost)
	by asstdc.scgt.oz.au (8.6.12/BSD4.4)
	id BAA09438; Tue, 27 Feb 1996 01:05:50 +1100
From: michael butler <imb@scgt.oz.au>
Message-Id: <199602261405.BAA09438@asstdc.scgt.oz.au>
Subject: Re: -stable hangs at boot (fwd)
To: phk@critter.tfs.com (Poul-Henning Kamp)
Date: Tue, 27 Feb 1996 01:05:48 +1100 (EST)
Cc: stable@freebsd.org, current@freebsd.org
In-Reply-To: <11445.825342415@critter.tfs.com> from "Poul-Henning Kamp" at Feb 26, 96 02:46:55 pm
X-Mailer: ELM [version 2.4 PL24beta]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-current@freebsd.org
Precedence: bulk

Poul-Henning Kamp writes:

> Well, this happens to be your view.  I know machines where IPFW are being
> used to restrict what users on the machine can do, this is only possible
> if you filter >ALL< traffic, to and from the machine.

OK .. but, personally, I wouldn't call or attempt to use those boxes as
firewalls .. any "sensitive" firewall/filtering router I have control over
has two valid accounts which have any access at all, mine and one other,
with limited privilege, for daily monitoring. No users == much reduced risk.

If security is _that_ important, investing in a dedicated box to do the job
is cheap at triple the price :-)
 
> The IPFW is not a policy, it's a tool to implement policies.  As such it
> needs to be able to implement the widest possible range of policies.

I can see where you're coming from .. but this behaviour caught me out
because it is unusual and I'm sure it'll catch many others :-(.
 
> You should be on -committers if you run -stable or -current.  If you were,
> you would have seen it.

If I could get half-way through the stuff I'm obliged to read now .. <sigh>

	michael