Subject: Re: CVS commit: src/sys/kern
To: None <>
From: YAMAMOTO Takashi <>
List: tech-kern
Date: 09/11/2006 15:33:54
> On Mon, Sep 11, 2006 at 03:13:04PM +0900, YAMAMOTO Takashi wrote:
> > 
> >>> - i don't think it's so relevant.
> >>> - i don't think IPFILTER_DEFAULT_BLOCK option is a great idea.
> >>> - iirc, ipfilter has a global knob to enable it.
> >>
> >> How is this supposed to work?  The point of IPFILTER_DEFAULT_BLOCK is
> >> protect your system from, for example, inapproprate packet handling
> >> or routing over autoconfigured network interfaces (or interfaces
> >> configured by the kernel as part of the boot process) *before* any
> >> user code runs.
> >> 
> >> What, exactly, is supposed to turn this knob?
> > 
> > you can enable it at some point after listeners are loaded.
> > or you can make it automatically enabled when the first listener in
> > the system is loaded.  (maybe the latter works only when if you load
> > a set of listeners as a "secure model".)
> Let's stick to the example of IP Filter.  In the case of IP Filter,
> how would the specific counterexamples I pointed out be accomodated?
> For a firewall, leaking packets ever, at all, is bad.
> Thor

why stick to ipfilter, while we are talking about kauth listeners?
as i said, i don't think ipfilter is so relevant.

maybe i should have ignored the ipfilter example at the first place.  my bad.