From owner-freebsd-stable Sat Jan 26 22:48: 9 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 1CAC837B400; Sat, 26 Jan 2002 22:48:07 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id XAA06296; Sat, 26 Jan 2002 23:48:05 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0R6lkr53640; Sat, 26 Jan 2002 23:47:46 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15443.41618.157705.409144@caddis.yogotech.com> Date: Sat, 26 Jan 2002 23:47:46 -0700 To: Ian Dowse Cc: "Crist J. Clark" , "Thomas T. Veldhouse" , Patrick Greenwell , stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness In-Reply-To: <200201261349.aa24682@salmon.maths.tcd.ie> References: <20020125190552.E14394@blossom.cjclark.org> <200201261349.aa24682@salmon.maths.tcd.ie> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > >But the current behavior of the two is inconsistent if > >'firewall_enable="NO".' If you have a staticly compiled firewall, you > >have a brick. If you don't you have a wide-open machine. The change > >would make it wide open in both cases. That is, when you do not have > >firewall_enable enabling firewalling, you don't have a firewall. (period) > > We have numerous machines with firewall_enable="NO" (because we > don't want the rc scripts to touch the firewall config) and both > `options IPFIREWALL' and `options IPFIREWALL_DEFAULT_TO_ACCEPT' in > the kernel config. A trivial firewall/dummynet configuration is > set up in rc.local. In essence, you don't have a firewall, but a NAT setup. The error here is that it just so happens that NAT is implemented in the firewall code in FreeBSD. IMO, this should be configured differently. But, you bring up a good point. > In general, xxx="NO" in rc.conf means "dont start xxx", it doesn't > mean "don't start xxx, and if there is one running, kill it", i.e. > ="NO" is an instruction to the rc scripts to do nothing (I'm sure > there are a few exceptions). Except that the firewall isn't something that needs to be started/stopped. > I think the existing firewall_enable > behaviour is consistent with this, but a new "DISABLE" option could > be added without any problems. Agreed. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message