>> Bugger! I can see a potential for some really nasty stuff coming from >> this. Is there absolutely no chance that the blacklist processing could >> be moved forward, somehow? >> > > I don't think that the consequences could be that dire (a blacklisted > host could renew its DHCP lease is the only hole I can see), but it is > not horribly difficult to remove this restriction. > If there is 'processing' before 'checking' this could potentially be exploited (dos and ddos attacks is what I am thinking of). If you could, somehow, manage to put 'checking' before 'processing' that would be ideal, but if you can't you need to clearly explain this (in a note possibly) in one of the man pages so that everybody is clear what is happening.
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
