Date: Sun, 27 Jan 2002 12:53:34 -0600 From: David Syphers <dsyphers@uchicago.edu> To: security-officer@freebsd.org Cc: stable@freebsd.org Subject: Re: Firewall config non-intuitiveness Message-ID: <200201271853.g0RIrVF03620@midway.uchicago.edu> In-Reply-To: <20020127.110854.32932954.imp@village.org> References: <3.0.5.32.20020127075816.01831ca0@mail.sage-american.com> <200201271757.g0RHvTF12944@midway.uchicago.edu> <20020127.110854.32932954.imp@village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 27 January 2002 12:08 pm, M. Warner Losh wrote: > : You yourself said that you're doing things that "don't fit in well with > : the current firewall paradigm." So they're hacks, and you shouldn't > : expect them to work indefinitely. > > I relied on documented behavior. Therefore I do expect it to work > indefinitely. The fact that something is documented doesn't mean it should remain unchanged. If a manpage has a bugs section, does this mean we shouldn't try to fix anything listed there? Docs are supposed to conform to programs, not the other way around. Warner maintains UPDATING, right? A change like this would go in there. That file is a list of changes to documented behavior. And we expect people to read it, especially if they've read enough docs to know the true meaning of firewall_enable. > The current behavior fails safe. The current behavior is documented. > I relied on that documentation when setting up my firewall. Now you > are wanting to change that documented behavior. It is that way > specifically so we fail safe. The current behavior also renders systems unusable. What good is having my web/mail server safe doing me if it can't process any mail or http requests? The default rc.conf says next to firewall_enable "Set to YES to enable firewall functionality," which implies that NO disables firewall functionality. Which is read "disables firewall", not "disables custom firewall scripts." I view the kernel as containing stuff that's _potentially_ used - I can have support in it for an ethernet card that's not installed. But the system doesn't hang looking for it. Anyway, the default rc.conf could have firewall_enable set to YES, which would make it "fail safe." -David Center for Cosmological Physics The University of Chicago To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201271853.g0RIrVF03620>