From owner-freebsd-stable Thu Jan 31 0: 0:30 2002 Delivered-To: freebsd-stable@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.86]) by hub.freebsd.org (Postfix) with ESMTP id B30DB37B446 for ; Wed, 30 Jan 2002 23:59:53 -0800 (PST) Received: from smtp-relay01.mac.com (server-source-si02 [10.13.10.6]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g0V5chOW021470 for ; Wed, 30 Jan 2002 21:38:43 -0800 (PST) Received: from asmtp02.mac.com ([10.13.10.66]) by smtp-relay01.mac.com (Netscape Messaging Server 4.15 relay01 Jun 21 2001 23:53:48) with ESMTP id GQSFOJ00.OZ2 for ; Wed, 30 Jan 2002 21:38:43 -0800 Received: from localhost ([142.163.64.96]) by asmtp02.mac.com (Netscape Messaging Server 4.15 asmtp02 Jun 21 2001 23:53:48) with ESMTP id GQSFOI00.S8A; Wed, 30 Jan 2002 21:38:42 -0800 Date: Thu, 31 Jan 2002 02:08:41 -0330 Subject: Re: *_enable="YES" behavior is bogus Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v480) Cc: stable@FreeBSD.ORG To: Mark Woodson From: Paul Fardy In-Reply-To: <5.1.0.14.0.20020130220527.02973650@127.0.0.1> Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.480) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wednesday, January 30, 2002, at 11:40 PM, Mark Woodson wrote: > I don't feel that the current system needs changing. It's my thought > that if you go to the extra trouble of compiling ipfw or ipf into the > kernel, then you want it and you get it. No matter what you've set in rc. > conf. I see nothing wrong with creating/using a more generic kernel and system configuration. I have several identical computer systems and I have a set of services that those systems are to provide. I'll be installing/configuring each system so that any system can provide any/every service. The only difference is that for each service "foo", only one system will have foo_enable="YES" in its /etc/rc.conf. Ideally, I can move, failover, or load-balance a service, I need only modify the rc.conf file (and probably modifying the DNS). I see simplicity and correctness that I can prepare my systems to be ready to serve, but with the protection when I explicitly say "NO", the system understands that I mean "NO". > Perhaps the docs should be modified to make that behavior more clear, but > if you have a machine set up as a firewall having it's functionality as a > firewall eliminated by setting enable="NO" is unacceptable from a > security standpoint. And therein lies the real problem. The current configuration is misleading and--to many of us--undesirable, even wrong. But security concerns make it hard to correct. It's wrong, to me (and I don't think I'm alone in this), because I believe that clarity in rc.conf is more than a desire, it's an objective. When the rc.conf file includes foo_enable="NO" it's right to expect that the system will operate like a system that does not have foo installed. Paul Fardy -- Systems Administrator Computing and Communications Memorial University of Newfoundland To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message