On Sun, 15 Dec 2002, Matthew Dillon wrote:
>     Here's a new patch.  But there isn't much of a point if we do not
>     also disallow ipfw DELETE and FLUSH.  And the pipe config commands
>     as well as anything else that changes the firewall state.  Firewalls
>     are there to protect the systems behind them.  I think deleting the
>     rule that, say, prevents spoofing is as bad as adding a rule that
>     allows everything through :-(

One other avenue would be to stick a temporary check for ABI compat in
installworld before overwriting ipfw.  Or for the next few releases, build
both ipfw1 and ipfw2 and install both (say, symlinking ipfw -> ipfw2 by
default).  You could fall back to ipfw1 if ipfw2 returns an error code in
rc scripts.  I'd prefer this kind of hack in the install/rc process, not
in a new API.

Regarding civility to developers, there are a ton of frustrating things in
any project.  I think civility should be the response given to both
reasonable and unreasonable people.  If they are unreasonable, giving a
reasonable response just makes them look bad.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to