Darren Reed wrote: > On 08/27/08 16:37, Bill Sommerfeld wrote: >> On Wed, 2008-08-27 at 16:15 -0700, Darren Reed wrote: >> >> ... >>> But that said, the greater question you've asked is a good one: >>> is it an acceptable policy to allow service administrators, rather >>> than a host administrator to control network access to a service? >>> >> Unless I'm mistaken, the spec as written would allow *any* service >> administrator to inject essentially arbitrary rules into the global >> ipf.conf. >> > > Given David's replies, do you still see that as being possible? > > >>> But if there is an overall policy that should be applied instead, >>> like you are suggesting, then my take on this is that it falls outside >>> of what this project is delivering. >>> >> so this project is just intended to provide the impression of security >> without actually providing any real controls on traffic flow? >> > > Maybe I should ask, what would you define as being an "overall policy"? > > > When I think of that, in terms of ipf, I think someone is delivering a > specific > ipf.conf file, and use of that (instead of per-service configuration) is > outside > of what this project is doing. >
I'm not answering for Bill. However, pre-defined ipf.conf file is supported. User can set Global Default policy to "custom" and specify the file from which we'll simply load the pre-defined rules. -tony
