Date: Thu, 31 Jan 2002 00:28:33 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: "Jacques A. Vidrine" <n@nectar.cc> Cc: Matthew Dillon <dillon@apollo.backplane.com>, freebsd-stable@FreeBSD.ORG Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <p0510122ab87e828d1b16@[128.113.24.47]> In-Reply-To: <20020130225454.A48040@hellblazer.nectar.cc> References: <JI75GAYSTRA5PJZYUKGON75TOB88.3c586114@VicNBob> <200201310042.g0V0g3255325@apollo.backplane.com> <20020130202356.A47852@hellblazer.nectar.cc> <p05101226b87e6b0f9966@[128.113.24.47]> <20020130225454.A48040@hellblazer.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:54 PM -0600 1/30/02, Jacques A. Vidrine wrote: >On Wed, Jan 30, 2002 at 11:21:49PM -0500, Garance A Drosihn wrote: > > If anyone sees that change go by in mergemaster, and they do depend >> on the present behavior, and those comments (or something better >> than those) do not ring an alarm in their heads, then I would be >> either surprised or disturbed. >> >> Maybe even this is too drastic a change for -stable, although I'd >> it would work. > >No, it won't work. Joe Experienced will configure a new system >based on FreeBSD 4.N, and configure `firewall_enable=NO' as he has >always done in the past. But WHAM the behavior of this new system >is drastically different from any previous FreeBSD release that had >a firewall_enable knob. He has no firewall at all, rather than a >firewall which he configured by whatever mechanism. Okay, I can understand that concern. This person could perhaps be saved by having a message print out on the console when firewall is turned off. (ie, if the kernel has a firewall and firewall_enable=no). I would expect a message to console for that anyway. Hell, maybe even write a message every time a person logs into the console, if the firewall was turned off by rc.conf and if it is still off at the time the person logs in. I am not trying to beat a dead horse here, but I will point out that any person who *meant* to disable all network access must be sitting at the console of the machine. We *can* do something to help that person out. But if a person turns on firewall_enable because they expected *no* firewall, then they might not be anywhere near the machine -- because they did not think they needed to be. We can't do anything to help that person once the mistake is made. That is why I still want to suggest some alternatives, even though many people are probably sick of the thread. >In general, it is a bad idea to change the semantics of a system >setting. Notice that when it was determined that we needed a setting >for outbound-only sendmail, that we didn't change the semantics of >`sendmail_enable'. I agree that it is usually a bad idea to make such a change, but in this case I think an exception to that rule would be reasonable. However, I would not object to the change only being made to current, if people do not believe my suggestions will address the concerns of making such a change to stable. Again, I feel a little bad to be extending a thread which has obviously gone on long enough to be annoying to most people, but I still believe a workable and acceptable (to everyone) solution could be found. -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p0510122ab87e828d1b16>