> In any event, I wasn't arguing against a strict default. I was > arguing against violating explicit admin-specified filtering policy > merely because some local service needing an exemption is enabled. > Explicit configuration of filters should trump services.
This was my thinking as well -- but it seems to be an intentional design decision with per-socket IPsec policy overrides. The argument that the admin both set the original policy and started the application that conflicted with it (and thus got what he wanted with minimal fuss) made some sense to me back in simpler times, but with the level of complexity and feature integration today, I find it hard to defend. -- meem
