From owner-freebsd-stable  Wed Jan 30 23:51:25 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from guru.mired.org (dsl-64-192-6-133.telocity.com [64.192.6.133])
	by hub.freebsd.org (Postfix) with SMTP id 51E3137B962
	for <freebsd-stable@FreeBSD.ORG>; Wed, 30 Jan 2002 23:48:38 -0800 (PST)
Received: (qmail 1954 invoked by uid 100); 31 Jan 2002 07:48:14 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15448.63166.62604.785099@guru.mired.org>
Date: Thu, 31 Jan 2002 01:48:14 -0600
To: Garance A Drosihn <drosih@rpi.edu>
Cc: "Jacques A. Vidrine" <n@nectar.cc>, freebsd-stable@FreeBSD.ORG
Subject: Dangerous before networking is turned on (Was: Proposed Solution To Recent "firewall_enable" Thread.)
  Read]
In-Reply-To: <p0510122bb87e879d4ad3@[128.113.24.47]>
References: <JI75GAYSTRA5PJZYUKGON75TOB88.3c586114@VicNBob>
	<200201310042.g0V0g3255325@apollo.backplane.com>
	<20020130202356.A47852@hellblazer.nectar.cc>
	<p05101226b87e6b0f9966@[128.113.24.47]>
	<20020130225454.A48040@hellblazer.nectar.cc>
	<p0510122ab87e828d1b16@[128.113.24.47]>
	<p0510122bb87e879d4ad3@[128.113.24.47]>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
From: "Mike Meyer" <mwm-dated-1012895294.8467e5@mired.org>
X-Delivery-Agent: TMDA/0.44 (Python 2.2; freebsd-4.5-RC-i386)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Garance A Drosihn <drosih@rpi.edu> types:
> At 12:28 AM -0500 1/31/02, Garance A Drosihn wrote:
> Why should only Joe Experienced User be getting the benefit of
> booting up with the firewall active?  Now, I am *definitely* not
> suggesting this for -stable, but why don't we have the default
> GENERIC kernel include the firewall support?  Why should anyone
> *have* to compile a kernel to get this full-time protection?
> ("fulltime" meaning "firewall active for the entire boot sequence").

What's the danger in not having a firewall if you haven't turned any
of the network interfaces on? Granted, we don't do that now for ipfw
firewalls, but that could be fixed.

For that matter, the firewall is turned on before any network services
are started, so there shouldn't be a serious problem, barring things
like the old ping-of-death.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message