From owner-freebsd-stable  Sat Jan 26 23:30:20 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id 1D33E37B404
	for <stable@FreeBSD.ORG>; Sat, 26 Jan 2002 23:30:18 -0800 (PST)
Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id AAA07954;
	Sun, 27 Jan 2002 00:30:12 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id g0R7U6T54416;
	Sun, 27 Jan 2002 00:30:06 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15443.44156.595426.139371@caddis.yogotech.com>
Date: Sun, 27 Jan 2002 00:30:04 -0700
To: "M. Warner Losh" <imp@village.org>
Cc: nate@yogotech.com, stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness
In-Reply-To: <20020127.002337.37328950.imp@village.org>
References: <15443.41177.259786.242696@caddis.yogotech.com>
	<3C53A5A2.A5F8FBD6@tenebras.com>
	<15443.42601.781625.356369@caddis.yogotech.com>
	<20020127.002337.37328950.imp@village.org>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

> You still haven't responded to my comment that I have it setup like
> this on some of my boxes so that I can do things that don't fit in
> well with the current firewall paradigm.  Nor to my comment that we
> shouldn't be changing a security feature in a fail*UN*safe way.

Explain to me how disabling the firewall with 'FIREWALL_ENABLE=NO' can
be unsafe?

Can you show me *ANY* system that uses a closed down firewall that also
has FIREWALL_ENABLE=NO?  That would be the only 'safe->unsafe'
transition, since otherwise the default firewall setup is wide-open.

> I'll grant that I might be in the minority here, but I sure don't want
> my the ability to use my firewall going away after my "next"
> mergemaster change because you were helpful and unloaded/disabled
> stuff for me.

Fixing something that's broken is still fixing something.  If you don't
want a firewall, then why have it activated and enabled?  (This is a
rhetorical question.)


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message