Bug 35686
| Summary: | blackhole(4) page seems to contradict itself in WARNING | ||
|---|---|---|---|
| Product: | Documentation | Reporter: | Gary W. Swearingen <swear> |
| Component: | Books & Articles | Assignee: | freebsd-doc (Nobody) <doc> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
Gary W. Swearingen wrote:
> The "warnings" section of the blackhole(4) man page has these two
> statements:
>
> In order to create a highly secure system, ipfw(8) should be used
> for protection, not the blackhole feature.
>
> This mechanism is not a substitute for securing a system. It should
> be used together with other security mechanisms.
>
> The first implies that blackhole shouldn't be used with, say, ipfw,
> while the second implies that it should. It needs clarification.
>
I read over the ``manual page'' &Keramidas.use-manual-page.not-man-page;
and I gather this as more a method for port scans. Can this method be
used WITH ipfw(8)? If so, then wouldn't it be eaiser to use this feature.
I do think you can use it like that, but i'm not sure... paragraph 1
states that setting the value to 2 will drop connections on a closed
port... makes me think that ipfw(8) could forward packets and this could
be ran along side... But with no experiance with blackhole(4) i'd
rather hear another comment...
--
Tom (Darklogik) Rhodes
www.Pittgoth.com Gothic Liberation Front
www.FreeBSD.org The Power To Serve
"Gary W. Swearingen" <swear@blarg.net> wrote: > > >Number: 35686 > >Category: docs > >Synopsis: blackhole(4) page seems to contradict itself in WARNING > >Description: > > The "warnings" section of the blackhole(4) man page has these two > statements: > > In order to create a highly secure system, ipfw(8) should be used > for protection, not the blackhole feature. > > This mechanism is not a substitute for securing a system. It should > be used together with other security mechanisms. To me, this sounds more redundant than contradicting (they both say that blackhole isn't sufficient for a "secure system"), but I can understand how someone might interpret it that way. Do you have any suggestions for a better wording? Perhaps just removing the first paragraph would suffice--that seems more like a plug for ipfw(8) than a bug in blackhole(4), anyway. Dima Dorfman <dima@trit.org> writes: > "Gary W. Swearingen" <swear@blarg.net> wrote: > > In order to create a highly secure system, ipfw(8) should be used > > for protection, not the blackhole feature. > > > > This mechanism is not a substitute for securing a system. It should > > be used together with other security mechanisms. > ... > Do you have any > suggestions for a better wording? No, since I don't know what it SHOULD be trying to say. This is my best guess at what the above implies, but I doubt if it is what it SHOULD imply: In order to create a highly secure system, ipfw(8) should be used for protection, not the blackhole feature. For a less-than-highly secure system, use the blackhole feature with security mechanisms other than ipfw(8). For an unsecure system use only the blackhole feature (or nothing). State Changed From-To: open->closed I see no problems with the backhole man page really. Please let me know if you want to re-open thin PR. |
The "warnings" section of the blackhole(4) man page has these two statements: In order to create a highly secure system, ipfw(8) should be used for protection, not the blackhole feature. This mechanism is not a substitute for securing a system. It should be used together with other security mechanisms. The first implies that blackhole shouldn't be used with, say, ipfw, while the second implies that it should. It needs clarification. ================ Fix: ? How-To-Repeat: n/a ================