From owner-freebsd-stable  Wed Jan 30 22:17: 9 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40])
	by hub.freebsd.org (Postfix) with ESMTP id E6EB737B404
	for <freebsd-stable@FreeBSD.ORG>; Wed, 30 Jan 2002 22:17:05 -0800 (PST)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail.rpi.edu (8.11.3/8.11.3) with ESMTP id g0V6H1J71676;
	Thu, 31 Jan 2002 01:17:01 -0500
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <p0510122db87e8ebcf603@[128.113.24.47]>
In-Reply-To: <20020130.225801.103629586.imp@village.org>
References: <20020130225454.A48040@hellblazer.nectar.cc>
 <p0510122ab87e828d1b16@[128.113.24.47]>
 <p0510122bb87e879d4ad3@[128.113.24.47]>
 <20020130.225801.103629586.imp@village.org>
Date: Thu, 31 Jan 2002 01:17:00 -0500
To: "M. Warner Losh" <imp@village.org>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please
  Read]
Cc: n@nectar.cc, dillon@apollo.backplane.com,
	freebsd-stable@FreeBSD.ORG
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.3 (www dot roaringpenguin dot com slash mimedefang)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

At 10:58 PM -0700 1/30/02, M. Warner Losh wrote:
>In message: <p0510122bb87e879d4ad3@[128.113.24.47]>
>             Garance A Drosihn <drosih@rpi.edu> writes:
>: Why should only Joe Experienced User be getting the benefit of
>: booting up with the firewall active?  Now, I am *definitely* not
>: suggesting this for -stable, but why don't we have the default
>: GENERIC kernel include the firewall support?  Why should anyone
>: *have* to compile a kernel to get this full-time protection?
>: ("fulltime" meaning "firewall active for the entire boot sequence").
>
>ipfw or ipfilter.  which one should we choose?  That's why.

Pick either.  Pick the one with the most-bsd-ish license.  Pick a
(new) third one, one which is very minimal.  Maybe it isn't even
configurable, and it just blocks all packets from outside the subnet
the machine is on.  As long as the person can change it, wouldn't
either choice be better than no firewall?   (if the net continues
to be become more hostile)

[I'm just tossing out a few ideas for consideration, I don't know
enough to have an opinion on this one ...  I'll shut-up now  :-) ]

-- 
Garance Alistair Drosehn            =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message