Date: Sun, 27 Jan 2002 11:57:32 -0600 From: David Syphers <dsyphers@uchicago.edu> To: "M. Warner Losh" <imp@village.org> Cc: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <200201271757.g0RHvTF12944@midway.uchicago.edu> In-Reply-To: <20020127.102748.70374201.imp@village.org> References: <20020127014848.F23259@blossom.cjclark.org> <3.0.5.32.20020127075816.01831ca0@mail.sage-american.com> <20020127.102748.70374201.imp@village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 27 January 2002 11:27 am, M. Warner Losh wrote: > Right now what I have works. You are changing the semantics of a > security related feature of the system in such a way that after this > change what I have will not work. I agree that your work around will > allow me to easily correct things. However, if I fail to do so, I > open my firewall up completely. To me, that's an unacceptible change > in the API. You yourself said that you're doing things that "don't fit in well with the current firewall paradigm." So they're hacks, and you shouldn't expect them to work indefinitely. For every person like you, there are probably ten like me, who in a state of ignorant bliss rebooted a machine they were remotely admining with firewall_enable set to NO. Imagine the surprise when I was completely locked out. As others have pointed out this behavior is documented, but we must remember that a variable name itself is the most important and immediate documentation. And having a firewall load when firewall_enable is NO is complete nonsense. This change would affect security only for the people who are knowledgeable enough to understand this weird variable in the first place. This effect would be minimal. A default desktop install of FreeBSD will enable Sendmail and inetd and have no firewall, and you're worried about this security effect? -David Center for Cosmological Physics The University of Chicago To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201271757.g0RHvTF12944>