by mail.netbsd.org with SMTP; 24 Oct 2000 15:52:10 -0000
	id xma020217; Tue, 24 Oct 00 11:53:13 -0400
 (Content Technologies SMTPRS 4.1.5) with ESMTP id <T5c0121d94f7346576d@snt003.net.slk.com>;
 Tue, 24 Oct 2000 11:53:26 -0400
	id VMVPT15Y; Tue, 24 Oct 2000 11:41:29 -0400
Date: Tue, 24 Oct 2000 11:51:50 -0400 (Eastern Daylight Time)
From: Jon Lindgren <jlindgren@slk.com>
To: Andrew Brown <atatat@atatdot.net>
cc: tech-security@netbsd.org, tech-kern@netbsd.org
Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
In-Reply-To: <20001024114812.A28507@noc.untraceable.net>
Message-ID: <Pine.WNT.4.21.0010241150530.346-100000@a28043.net.slk.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Tue, 24 Oct 2000, Andrew Brown wrote:

> >This was furthered into using sysctl's to do accomplish the same
> >results... having a security section with knobs to frob which turn
> >different features (such as allowing ipf or ipnat rules to be added,
> >etc...).  And of course, after that, making the security section
> >read-only, so if one cracks the box certain features can't be re-enabled.
> 
> no...you misunderstood me.  the "last" security knob would mark the
> *entire* sysctl mib as read-only wrt userland, not just the security
> mib.
> 
> i envisioned adjusting whatever needed to be adjusted, and then
> closing the box.

Even better ;-)

-Jon
 --------------------------------------------------------------------
 "Trout are freshwater fish, and have underwater weapons."
 "Zing, zing zing zing!"
 "Keep away from the trout."
 -- The opinions expressed are not necesarily those of my employer --
 "Who stole my lawn?"