Date: Tue, 29 Jan 2002 14:04:57 +1100 From: "Andrew Cowan" <andrew.cowan@hsd.com.au> To: "Nate Williams" <nate@yogotech.com> Cc: "Freebsd-Stable" <freebsd-stable@FreeBSD.ORG> Subject: RE: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <NEBBJIKPNGEHLCBOLMDMMEBOFPAC.andrew.cowan@hsd.com.au> In-Reply-To: <15445.54755.551301.284078@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry, but:
ipfw_enable=no
ipfw_firewall_enable=yes
Will still be confusing to newbies. I had to read the descriptions to see
what they did as they should like they do the same thing. It is really to
much work to change the script variable names in current, so that they
relate exactly to what they do?
eg.
ipfw_load_firewall_rules={yes,no}
ipfw_firewall_rules_file={open,simple,etc,/etc/myfirewall.rule}
If ipfw_firewall_rules_file is not specified then it does not load one.
(defaults to kernel setting or deny_all I think)
If ipfw_load_firewall_rules is no then module is not loaded (handles ipfw
not in kernel)
(The ipfw_load_firewall_rules could be replaced by checking if the file is
specified, but it would be too confusing again)
Could old and new variables be used to handle the transition. I just don't
like the idea of not fixing something that needs it. As long as it handle
old configs then its fine right?
To summarise:
1. Functionality of system is not changed.
2. Configuration is made consistent with functionality.
3. System is backwards compatible with old configurations
via adding new variables rather than the changing of
old ones. (just requires duplication of code in
network script)
4. Version 5 will soon replace 4 - this is as good an
opportunity as we'll ever get. The old script variables
can be made defunct in 5 if you wish
I appologise if parts of this have been said elsewhere, I just wanted to put
my view across.
Regards,
Andrew Cowan
>
>
> > : Yes, and I think having this is a good thing. However, what are the
> > : default values for the variables?
> >
> > In previous mail I suggested:
> >
> > ipfw_enable=no
> > ipfw_firewall_enable=yes
>
> Gotcha, I confused ipfw_enable with ipfw_firewall_enable.
> Unfortunately, it's not obvious which one the users should use to enable
> the functionality.
>
> Now we have two variables that *appear* to be redundant....
>
>
> Nate
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBJIKPNGEHLCBOLMDMMEBOFPAC.andrew.cowan>