Date: Sat, 26 Jan 2002 23:47:46 -0700 From: Nate Williams <nate@yogotech.com> To: Ian Dowse <iedowse@maths.tcd.ie> Cc: "Crist J. Clark" <cjc@FreeBSD.ORG>, "Thomas T. Veldhouse" <veldy@veldy.net>, Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <15443.41618.157705.409144@caddis.yogotech.com> In-Reply-To: <200201261349.aa24682@salmon.maths.tcd.ie> References: <20020125190552.E14394@blossom.cjclark.org> <200201261349.aa24682@salmon.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
> >But the current behavior of the two is inconsistent if > >'firewall_enable="NO".' If you have a staticly compiled firewall, you > >have a brick. If you don't you have a wide-open machine. The change > >would make it wide open in both cases. That is, when you do not have > >firewall_enable enabling firewalling, you don't have a firewall. (period) > > We have numerous machines with firewall_enable="NO" (because we > don't want the rc scripts to touch the firewall config) and both > `options IPFIREWALL' and `options IPFIREWALL_DEFAULT_TO_ACCEPT' in > the kernel config. A trivial firewall/dummynet configuration is > set up in rc.local. In essence, you don't have a firewall, but a NAT setup. The error here is that it just so happens that NAT is implemented in the firewall code in FreeBSD. IMO, this should be configured differently. But, you bring up a good point. > In general, xxx="NO" in rc.conf means "dont start xxx", it doesn't > mean "don't start xxx, and if there is one running, kill it", i.e. > ="NO" is an instruction to the rc scripts to do nothing (I'm sure > there are a few exceptions). Except that the firewall isn't something that needs to be started/stopped. > I think the existing firewall_enable > behaviour is consistent with this, but a new "DISABLE" option could > be added without any problems. Agreed. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15443.41618.157705.409144>