From: Les M. <les...@gm...> - 2012-05-16 19:23:19
|
On Wed, May 16, 2012 at 1:50 PM, Jeff Gehlbach <je...@op...> wrote: > On 05/16/2012 02:12 PM, Les Mikesell wrote: > >> I'd contend that the behavior is incorrect if you unmanage a service, >> though. When I have explicitly told it not to manage a service on a >> specific interface it should quit probing it and triggering the >> associated security exceptions. > > It's working as designed, Les, and as it's worked for the past twelve > years plus. To "unmanage" a service is to tell the *poller* to ignore > it. This has no bearing on Capsd / Provisiond, because those daemons > are in a different business. I understand why it does the wrong thing. I'm just saying that it is wrong for a program to continue abusing a network port after being told not to do it. You can interpret that as meaning that I am wishing for a more convenient way for an operator to interact with all of the disconnected portions of OpenNMS than editing filters into each portion's xml config or imposing firewalls between them if you want. But really, what business does capsd/provisiond have discovering services on interfaces where you don't want them to be managed (or more to the point, may be sending emails to a security officer each time they are probed...). -- Les Mikesell les...@gm... |