Bart Smaalders writes: > The rules in any single ipf.conf file should describe a > consistent, safe set of ipfilter rules for a single > operating state. > > They should be either all applied or none.
I don't think it's as simple as that in general. Suppose my configuration says this: block in quick on foobar0 from ! 192.168.254.0/24 to any Should the rule set fail to load if "foobar0" doesn't exist in the system? What should it do if that interface shows up later? What should it do if I have (or later gain) *OTHER* interfaces on the system that are not listed in the current rules? As far as I know, there's currently no way to express the idea that any new interface should not be brought up unless there are matching filter rules ready to go for that interface, so it seems to me that there's a gap between the idea of an "all or none" policy and what would work. -- James Carlson, KISS Network <[EMAIL PROTECTED]> Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ networking-discuss mailing list [email protected]
