On 08/27/08 16:37, Bill Sommerfeld wrote: > On Wed, 2008-08-27 at 16:15 -0700, Darren Reed wrote: > > ... >> But that said, the greater question you've asked is a good one: >> is it an acceptable policy to allow service administrators, rather >> than a host administrator to control network access to a service? >> > > Unless I'm mistaken, the spec as written would allow *any* service > administrator to inject essentially arbitrary rules into the global > ipf.conf. >
Given David's replies, do you still see that as being possible? >> But if there is an overall policy that should be applied instead, >> like you are suggesting, then my take on this is that it falls outside >> of what this project is delivering. >> > > so this project is just intended to provide the impression of security > without actually providing any real controls on traffic flow? > Maybe I should ask, what would you define as being an "overall policy"? When I think of that, in terms of ipf, I think someone is delivering a specific ipf.conf file, and use of that (instead of per-service configuration) is outside of what this project is doing. Darren -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080827/0cacf37c/attachment.html>
