On Wed, Feb 27, 2008 at 04:34:38PM +0100, Patrick McHardy wrote: > Phil Oester wrote: > >I really don't think this is a good idea. We allow non-root users > >on some of our firewalls, and I don't want them to see the ruleset. > >Also, it helps miscreants to better pick their targets, if they > >know in advance which ports are opened. > > > They could also find out about this simply by probing ports ... And assuming a /16 with 65K ports, that would take a bit longer than the few seconds it takes to dump the ruleset. Why make it easier than it has to be? > >If making this change, *please* consider making it configurable, > >with the default being NO access. > > > No, in that case I prefer to keep it restricted to root > unconditionally. Using sudo to get the rules is no big > deal I guess. Seconded. Phil - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html