Date: Thu, 19 Sep 1996 23:55:10 -0600 (MDT) From: Marc Slemko <marcs@alive.ampr.ab.ca> To: freebsd-security@FreeBSD.ORG Subject: Re: Could use a favor Message-ID: <Pine.BSF.3.95.960919234952.7917F-100000@alive.ampr.ab.ca> In-Reply-To: <199609180747.RAA07256@al.imforei.apana.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18 Sep 1996, Peter Childs wrote: > Consider the situation where you are using a machine running > freebsd on a machine as part of your firewall. You only want selective > packets to be passed. If your machine boots up with a default > policy of "let everything through" then for the time between your > interface being initilized/configured and your rules being > enforced/entered you've just made a large hole in your security. Aside from the possible race condition there, which can be avoided by careful ordering of bootup configuration, there is also the idea of safest possible mode of failure. Consider the case where someone accidently messes up the firewall rules, or the utility used to manage them gets messed up. Do you prefer that no traffic is let through your firewall until it is fixed, or that all traffic is let through until it is fixed?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.960919234952.7917F-100000>