>This was furthered into using sysctl's to do accomplish the same
>results... having a security section with knobs to frob which turn
>different features (such as allowing ipf or ipnat rules to be added,
>etc...).  And of course, after that, making the security section
>read-only, so if one cracks the box certain features can't be re-enabled.

no...you misunderstood me.  the "last" security knob would mark the
*entire* sysctl mib as read-only wrt userland, not just the security
mib.

i envisioned adjusting whatever needed to be adjusted, and then
closing the box.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."