James Carlson wrote:
Bart Smaalders writes:
The rules in any single ipf.conf file should describe a
consistent, safe set of ipfilter rules for a single
operating state.
They should be either all applied or none.
I don't think it's as simple as that in general.
Suppose my configuration says this:
block in quick on foobar0 from ! 192.168.254.0/24 to any
Should the rule set fail to load if "foobar0" doesn't exist in the
system? What should it do if that interface shows up later? What
should it do if I have (or later gain) *OTHER* interfaces on the
system that are not listed in the current rules?
As far as I know, there's currently no way to express the idea that
any new interface should not be brought up unless there are matching
filter rules ready to go for that interface, so it seems to me that
there's a gap between the idea of an "all or none" policy and what
would work.
Or perhaps we should just say that
block in all
block out all
should be the first lines in all rule sets, thus blocking IO on
interfaces not explicitly configured in the rule set.
- Bart
--
Bart Smaalders Solaris Kernel Performance
[EMAIL PROTECTED] http://blogs.sun.com/barts
_______________________________________________
networking-discuss mailing list
[email protected]
