Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Jan 2002 10:29:58 -0800 (PST)
From:      Patrick Greenwell <patrick@stealthgeeks.net>
To:        "M. Warner Losh" <imp@village.org>
Cc:        jacks@sage-american.com, <cjc@FreeBSD.ORG>, <nate@yogotech.com>, <stable@FreeBSD.ORG>
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020127101431.S79713-100000@rockstar.stealthgeeks.net>
In-Reply-To: <20020127.102748.70374201.imp@village.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

yOn Sun, 27 Jan 2002, M. Warner Losh wrote:

> In message: <3.0.5.32.20020127075816.01831ca0@mail.sage-american.com>
>             jacks@sage-american.com writes:
> : What would be wrong with booting without loading a FW script and then
> : loading the rules after the boot is finished...???
>
> Right now what I have works.  You are changing the semantics of a
> security related feature of the system in such a way that after this
> change what I have will not work.

I'm proposing the change because what currently exists is mislabeled
behavior, and my assertion is(although admittedly unverified) is that the
number of people that actually want a firewall, wishing to deny all
packets via setting firewall_enable to "no" is small, and this is more
than offset by the value of using variable names/values that actually do
what they indicate that they do.

Regarding the default, if the change were made as I proposed(where setting
firewall_enable to "no" results in net.inet.ip.fw.enable being set to 0
via sysctl, which I belive to be representative of the proper action given
the variable name, would changing the default value of firewall_enable
from no to yes in the defaults rc.conf address your concern?

I understand that this represents a change, but the current behavior is
incorrect and confusing(IMO). Even choosing firewall_enable=yes and
applying an open policy is not the same thing as no firewall at all(as via
setting net.inet.ip.fw.enable=0).


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
                     Stealthgeeks,LLC. Operations Consulting
                          http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127101431.S79713-100000>