From owner-freebsd-stable  Sat Jan 26 22:48: 9 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1CAC837B400; Sat, 26 Jan 2002 22:48:07 -0800 (PST)
Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id XAA06296;
	Sat, 26 Jan 2002 23:48:05 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id g0R6lkr53640;
	Sat, 26 Jan 2002 23:47:46 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15443.41618.157705.409144@caddis.yogotech.com>
Date: Sat, 26 Jan 2002 23:47:46 -0700
To: Ian Dowse <iedowse@maths.tcd.ie>
Cc: "Crist J. Clark" <cjc@FreeBSD.ORG>,
	"Thomas T. Veldhouse" <veldy@veldy.net>,
	Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness 
In-Reply-To: <200201261349.aa24682@salmon.maths.tcd.ie>
References: <20020125190552.E14394@blossom.cjclark.org>
	<200201261349.aa24682@salmon.maths.tcd.ie>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

> >But the current behavior of the two is inconsistent if
> >'firewall_enable="NO".' If you have a staticly compiled firewall, you
> >have a brick. If you don't you have a wide-open machine. The change
> >would make it wide open in both cases. That is, when you do not have
> >firewall_enable enabling firewalling, you don't have a firewall. (period)
> 
> We have numerous machines with firewall_enable="NO" (because we
> don't want the rc scripts to touch the firewall config) and both
> `options IPFIREWALL' and `options IPFIREWALL_DEFAULT_TO_ACCEPT' in
> the kernel config. A trivial firewall/dummynet configuration is
> set up in rc.local.

In essence, you don't have a firewall, but a NAT setup.  The error here
is that it just so happens that NAT is implemented in the firewall code
in FreeBSD.  IMO, this should be configured differently.

But, you bring up a good point.

> In general, xxx="NO" in rc.conf means "dont start xxx", it doesn't
> mean "don't start xxx, and if there is one running, kill it", i.e.
> ="NO" is an instruction to the rc scripts to do nothing (I'm sure
> there are a few exceptions).

Except that the firewall isn't something that needs to be
started/stopped.

> I think the existing firewall_enable
> behaviour is consistent with this, but a new "DISABLE" option could
> be added without any problems.

Agreed.


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message