Mike Ditto wrote:
Dave Miner wrote On 03/07/06 08:22,:
[about enabling/disabling whether IPFilter filters loopback traffic]
- it should be easy for the user to make this selection in the context
of other tasks they'd be doing to configure the filtering feature. It
should be part of what they'd normally do to set other aspects of
filtering policy.
Absolutely. Ideally, this parameter setting should be considered part
of the rule set and should be stored in the same file. A set of rules
is always written with a particular expectation of this setting and it
would be wrong to execute it with the wrong setting because it would
not have the intended effect.
But that doesn't mean it's easy to add such a notation to the rule file
format in a compatible way.
My preference is to divide describing the security policy (filter rules)
from system or filter configuration.
You can currently do:
$ ipf -f /etc/ipf/ipf.conf
to load rules and to remove them, do:
$ ipf -rf /etc/ipf/ipf.conf
If you start putting "settings" in this file, what effect does a
"remove" have
on them? Or maybe only part of the file or certain lines are recognised,
depending on command line switches or....it becomes a very messy
situation.
The sendmail.cf file is a great historical example of what happens when you
merge setting options and policy.
Darren
_______________________________________________
networking-discuss mailing list
[email protected]
