From owner-freebsd-stable  Sun Jan 27 10:30: 8 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from rockstar.stealthgeeks.net (h-66-134-120-173.LSANCA54.covad.net [66.134.120.173])
	by hub.freebsd.org (Postfix) with SMTP id 079E037B404
	for <stable@FreeBSD.ORG>; Sun, 27 Jan 2002 10:30:04 -0800 (PST)
Received: (qmail 79865 invoked by uid 1001); 27 Jan 2002 18:29:58 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 27 Jan 2002 18:29:58 -0000
Date: Sun, 27 Jan 2002 10:29:58 -0800 (PST)
From: Patrick Greenwell <patrick@stealthgeeks.net>
To: "M. Warner Losh" <imp@village.org>
Cc: jacks@sage-american.com, <cjc@FreeBSD.ORG>, <nate@yogotech.com>,
	<stable@FreeBSD.ORG>
Subject: Re: Firewall config non-intuitiveness
In-Reply-To: <20020127.102748.70374201.imp@village.org>
Message-ID: <20020127101431.S79713-100000@rockstar.stealthgeeks.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

yOn Sun, 27 Jan 2002, M. Warner Losh wrote:

> In message: <3.0.5.32.20020127075816.01831ca0@mail.sage-american.com>
>             jacks@sage-american.com writes:
> : What would be wrong with booting without loading a FW script and then
> : loading the rules after the boot is finished...???
>
> Right now what I have works.  You are changing the semantics of a
> security related feature of the system in such a way that after this
> change what I have will not work.

I'm proposing the change because what currently exists is mislabeled
behavior, and my assertion is(although admittedly unverified) is that the
number of people that actually want a firewall, wishing to deny all
packets via setting firewall_enable to "no" is small, and this is more
than offset by the value of using variable names/values that actually do
what they indicate that they do.

Regarding the default, if the change were made as I proposed(where setting
firewall_enable to "no" results in net.inet.ip.fw.enable being set to 0
via sysctl, which I belive to be representative of the proper action given
the variable name, would changing the default value of firewall_enable
from no to yes in the defaults rc.conf address your concern?

I understand that this represents a change, but the current behavior is
incorrect and confusing(IMO). Even choosing firewall_enable=yes and
applying an open policy is not the same thing as no firewall at all(as via
setting net.inet.ip.fw.enable=0).


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
                     Stealthgeeks,LLC. Operations Consulting
                          http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message