From owner-cvs-all Wed Mar 21 13:34:52 2001 Delivered-To: cvs-all@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 724BD37B71B; Wed, 21 Mar 2001 13:34:45 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 1888C81D01; Wed, 21 Mar 2001 15:34:42 -0600 (CST) Date: Wed, 21 Mar 2001 15:34:42 -0600 From: Bill Fumerola To: Paul Richards Cc: Poul-Henning Kamp , Paul Richards , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_fw.c Message-ID: <20010321153442.H2567@elvis.mu.org> References: <89202.985209871@critter> <3AB91CC0.9F52628A@freebsd-services.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AB91CC0.9F52628A@freebsd-services.co.uk>; from paul@freebsd-services.co.uk on Wed, Mar 21, 2001 at 09:27:28PM +0000 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Mar 21, 2001 at 09:27:28PM +0000, Paul Richards wrote: > Configuring any *firewall* without a default deny rule is foolhardy then > :-) locking yourself out of a machine miles away from where you are is probably just as foolhardy. if your machine could be compromised/attacked within the span of however long it takes to reload all your rules, thats some seriously large holes you have. in any event, when I'm done with the ipfw lists support (aka ipfw rulesets, I can never decide on what to name things...) you'll be able to setup a list and then atomically switch to it, avoiding the need for hacks like flush-resistant rules. I'm still not opposed to flushproof rules, done right, however. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message