Subject: Re: CVS commit: src/sys/kern
To: None <email@example.com>
From: YAMAMOTO Takashi <firstname.lastname@example.org>
Date: 09/11/2006 15:13:04
resending with a correct Cc:.
> > > - i don't think it's so relevant.
> > > - i don't think IPFILTER_DEFAULT_BLOCK option is a great idea.
> > > - iirc, ipfilter has a global knob to enable it.
> > How is this supposed to work? The point of IPFILTER_DEFAULT_BLOCK is
> > protect your system from, for example, inapproprate packet handling
> > or routing over autoconfigured network interfaces (or interfaces
> > configured by the kernel as part of the boot process) *before* any
> > user code runs.
> > What, exactly, is supposed to turn this knob?
> > Thor
> you can enable it at some point after listeners are loaded.
> or you can make it automatically enabled when the first listener in
> the system is loaded. (maybe the latter works only when if you load
> a set of listeners as a "secure model".)
> YAMAMOTO Takashi