From owner-freebsd-current  Sun Dec 15 10:26:28 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8BB4537B401; Sun, 15 Dec 2002 10:26:27 -0800 (PST)
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id D682943F28; Sun, 15 Dec 2002 10:26:26 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.5/8.12.5) with ESMTP id gBFIQMOM081408;
	Sun, 15 Dec 2002 10:26:23 -0800 (PST)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.5/8.12.5/Submit) id gBFIQMpo081407;
	Sun, 15 Dec 2002 10:26:22 -0800 (PST)
	(envelope-from dillon)
Date: Sun, 15 Dec 2002 10:26:22 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200212151826.gBFIQMpo081407@apollo.backplane.com>
To: "M. Warner Losh" <imp@bsdimp.com>
Cc: sam@errno.com, mux@FreeBSD.ORG, obrien@FreeBSD.ORG,
	current@FreeBSD.ORG
Subject: Re: ipfw userland breaks again.
References: <200212142351.gBENpBVH002931@apollo.backplane.com>
	<23f401c2a3ce$2a6e7e30$52557f42@errno.com>
	<200212150015.gBF0FlbS066547@apollo.backplane.com> <20021215.111441.05985858.imp@bsdimp.com>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

:I don't like the patch from a security standpoint.  It makes it to
:easy to turn off a firewall.  If you want to be that stupid about
:security, you should just make the default be 'accept all' and be done
:with it.  I'm opposed to this patch unless you can get the security
:officer to sign off on it.  The defaults are there for a reason so
:that we fail 'safe' from a security point of view.
:
:The real fix is to fix the abi problems.
:
:Warner

    This is complete BULLSHIT, Warner.  This patch exists precisely so
    the firewall can be turned on in secure mode.  It does not make it
    any easier to turn off then adding a rule:

    ipfw add 2 allow all from any to any

    So don't give me this bullshit about the patch being a security issue.
    YOU KNOW IT ISN'T.

    Now you are forcing me to go to core.  It's absolutely ridiculous and
    you know it.  Goddamn it, next time I won't even bother posting if all
    I get is this sort of crap.

						-Matt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message