Subject: Re: HEADS UP: IPFilter upgraded to 3.4.29
To: David Laight <firstname.lastname@example.org>
From: Andrew Brown <email@example.com>
Date: 09/19/2002 11:59:19
>> >> IP Filter: v3.4.29 initialized. Default = pass all, Logging = enabled
>> >Why is the default 'pass all' on NetBSD?
>> because that's typically more convenient.
>Only as an initial default, there are MUCH better ways to do that.
you can change it, if you like, when you build your kernel.
>> that way if the filters don't load, you can log in and fix it.
>Only if you realise they haven't loaded.....
it should be easy enough to have the system detect that and notify
>> >If you want a cleanly installed system to have a open network
>> >interface, it would surely be better to make the rc script load
>> >default filters from a file that does 'pass all'.
>> and if nothing can actually load filters? wouldn't you rather be able
>> to log in and attempt to fix it?
>No! because the system is wide open to ever hacker until you notice it.
then you'd rather have a system you can't fix remotely. that's fine
for you perhaps, but i'm not like that.
>> >A sysctl to turn the filters off might be useful as a 'get out of jail
>> >free' card.
>> ipf -D
>Doesn't work if ipf wont run...
>(Which is the state my system was in for a few days)
if you're in that state, you shouldn't be using the machine in
production. that's indicative of an incomplete upgrade.
|-----< "CODE WARRIOR" >-----|
firstname.lastname@example.org * "ah! i see you have the internet
email@example.com (Andrew Brown) that goes *ping*!"
firstname.lastname@example.org * "information is power -- share the wealth."