On Fri, 13 Oct 2006, Stuart Henderson wrote:
> On 2006/10/13 14:36, fv wrote:
> > > I want to add some code to pfctl which
> > >would add all important rules to pf. In such way, if that rules
> > >wouldn't be in pf.conf they would BE in pf.
> > >
> > I think it's a very bad idea. The best you can do i think is to write
> > a pfctl wrapper script in order to load your mandatory rules and rename
> > it to pfctl.
>
> Surely it's better to place mandatory rules on another box?
If you set them up in serial, An extra firewall can block some
traffic, but not pass traffic that the other one has blocked.
Other setupss have similar restrictions.
Back to the OP problem: if you cannot trust your fellow sys admins,
all is lost. Even hacking pf won't do, he can easily compile and use
a clean pfctl.
There is no other alternative than to restrict his rights, using sudo
or other means.
-Otto
