From swear@blarg.net  Fri Mar  8 13:58:55 2002
Return-Path: <swear@blarg.net>
Received: from lists.blarg.net (lists.blarg.net [206.124.128.17])
	by hub.freebsd.org (Postfix) with ESMTP id C19B037B404
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  8 Mar 2002 13:58:54 -0800 (PST)
Received: from thig.blarg.net (thig.blarg.net [206.124.128.18])
	by lists.blarg.net (Postfix) with ESMTP id 78C9DBD95
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  8 Mar 2002 13:58:54 -0800 (PST)
Received: from localhost.localdomain ([206.124.139.115])
	by thig.blarg.net (8.9.3/8.9.3) with ESMTP id NAA30199
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 8 Mar 2002 13:58:54 -0800
Received: (from jojo@localhost)
	by localhost.localdomain (8.11.6/8.11.3) id g28M2QZ00912;
	Fri, 8 Mar 2002 14:02:26 -0800 (PST)
	(envelope-from swear@blarg.net)
Message-Id: <3ag03ag1l9.03a@localhost.localdomain>
Date: 08 Mar 2002 14:02:26 -0800
From: "Gary W. Swearingen" <swear@blarg.net>
Reply-To: swear@blarg.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: blackhole(4) page seems to contradict itself in WARNING
X-GNATS-Notify:

>Number:         35686
>Category:       docs
>Synopsis:       blackhole(4) page seems to contradict itself in WARNING
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 08 14:00:02 PST 2002
>Closed-Date:    Fri Apr 14 20:12:27 GMT 2006
>Last-Modified:  Fri Apr 14 20:12:27 GMT 2006
>Originator:     Gary W. Swearingen
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
none
>Environment:
n/a
================
>Description:

The "warnings" section of the blackhole(4) man page has these two
statements:

    In order to create a highly secure system, ipfw(8) should be used
    for protection, not the blackhole feature.

    This mechanism is not a substitute for securing a system.  It should
    be used together with other security mechanisms.

The first implies that blackhole shouldn't be used with, say, ipfw,
while the second implies that it should.  It needs clarification.

================
>How-To-Repeat:
n/a
================
>Fix:
?

>Release-Note:
>Audit-Trail:

From: Tom Rhodes <darklogik@pittgoth.com>
To: swear@blarg.net
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: docs/35686: blackhole(4) page seems to contradict itself in WARNING
Date: Fri, 08 Mar 2002 17:36:05 -0500

 Gary W. Swearingen wrote:
 
 
 > The "warnings" section of the blackhole(4) man page has these two
 > statements:
 > 
 >     In order to create a highly secure system, ipfw(8) should be used
 >     for protection, not the blackhole feature.
 > 
 >     This mechanism is not a substitute for securing a system.  It should
 >     be used together with other security mechanisms.
 > 
 > The first implies that blackhole shouldn't be used with, say, ipfw,
 > while the second implies that it should.  It needs clarification.
 > 
 
 I read over the ``manual page'' &Keramidas.use-manual-page.not-man-page; 
 and I gather this as more a method for port scans.  Can this method be 
 used WITH ipfw(8)?  If so, then wouldn't it be eaiser to use this feature.
 
 I do think you can use it like that, but i'm not sure... paragraph 1 
 states that setting the value to 2 will drop connections on a closed 
 port... makes me think that ipfw(8) could forward packets and this could 
 be ran along side...  But with no experiance with blackhole(4) i'd 
 rather hear another comment...
 
 -- 
 Tom (Darklogik) Rhodes
 www.Pittgoth.com Gothic Liberation Front
 www.FreeBSD.org  The Power To Serve
 

From: Dima Dorfman <dima@trit.org>
To: swear@blarg.net
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/35686: blackhole(4) page seems to contradict itself in WARNING 
Date: Sat, 09 Mar 2002 02:01:46 +0000

 "Gary W. Swearingen" <swear@blarg.net> wrote:
 > 
 > >Number:         35686
 > >Category:       docs
 > >Synopsis:       blackhole(4) page seems to contradict itself in WARNING
 > >Description:
 > 
 > The "warnings" section of the blackhole(4) man page has these two
 > statements:
 > 
 >     In order to create a highly secure system, ipfw(8) should be used
 >     for protection, not the blackhole feature.
 > 
 >     This mechanism is not a substitute for securing a system.  It should
 >     be used together with other security mechanisms.
 
 To me, this sounds more redundant than contradicting (they both say
 that blackhole isn't sufficient for a "secure system"), but I can
 understand how someone might interpret it that way.  Do you have any
 suggestions for a better wording?  Perhaps just removing the first
 paragraph would suffice--that seems more like a plug for ipfw(8) than
 a bug in blackhole(4), anyway.

From: swear@blarg.net (Gary W. Swearingen)
To: Dima Dorfman <dima@trit.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/35686: blackhole(4) page seems to contradict itself in WARNING
Date: 08 Mar 2002 22:24:51 -0800

 Dima Dorfman <dima@trit.org> writes:
 
 > "Gary W. Swearingen" <swear@blarg.net> wrote:
 > >     In order to create a highly secure system, ipfw(8) should be used
 > >     for protection, not the blackhole feature.
 > > 
 > >     This mechanism is not a substitute for securing a system.  It should
 > >     be used together with other security mechanisms.
 > 
 ...
 > Do you have any
 > suggestions for a better wording?
 
 No, since I don't know what it SHOULD be trying to say.
 
 This is my best guess at what the above implies, but I doubt if it is
 what it SHOULD imply:
 
     In order to create a highly secure system, ipfw(8) should be used
     for protection, not the blackhole feature.  For a less-than-highly
     secure system, use the blackhole feature with security mechanisms
     other than ipfw(8).  For an unsecure system use only the blackhole
     feature (or nothing).
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Fri Apr 14 20:10:43 UTC 2006 
State-Changed-Why:  
I see no problems with the backhole man page really.  Please 
let me know if you want to re-open thin PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35686 
>Unformatted:
