On Sat, Sep 04, 2004 at 01:28:28PM -0400, vxp wrote:in other words, what would you guys say be a _proper_ bsd-style thing to do, if this were to be done?
Nothing. If you want to pollute your kernel with nonsense of this sort, go right ahead, but leave mine alone. Adding frills detracts from security, even when they're only enabled by compile-time switches. The netinet code is already a challenge to follow or keep in mind all at once. Anything that makes the problem worse without a really big payoff is insane.
I very much concur with Barney's sentiment, but I would also point out that our decisions for various sysctl settings should be based on sound network engineering practices. If we mimic some OS by trying to replicate something stupid that it does, then we've compromised sound network engineering. It reeks of the "deny ICMP" stupidity you so often see in firewall configs.
OTOH, I think understanding why different OSes fingerprint differently is an extremely interesting pursuit, and good studies describing the many different strategies are fascinating if done well (not just the usual "this OS has its head up its ass" commentary, but really delve in to see "oh *that's* why they do that"). This "comparative literature" approach could build consensus for what the "right" approaches are and understanding of the reasonable alternatives. It may be that more consensus in approach would change the viability of fingerprinting anyway, and then for good reasons.
--ckg _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
