From owner-freebsd-stable Sun Jan 27 10:53:37 2002 Delivered-To: freebsd-stable@freebsd.org Received: from midway.uchicago.edu (midway.uchicago.edu [128.135.12.12]) by hub.freebsd.org (Postfix) with ESMTP id CAC1637B400; Sun, 27 Jan 2002 10:53:31 -0800 (PST) Received: from there (adsl-65-42-128-236.dsl.chcgil.ameritech.net [65.42.128.236]) by midway.uchicago.edu (8.11.6/8.11.6) with SMTP id g0RIrVF03620; Sun, 27 Jan 2002 12:53:31 -0600 (CST) Message-Id: <200201271853.g0RIrVF03620@midway.uchicago.edu> Content-Type: text/plain; charset="iso-8859-1" From: David Syphers Reply-To: charon@seektruth.org To: security-officer@freebsd.org Subject: Re: Firewall config non-intuitiveness Date: Sun, 27 Jan 2002 12:53:34 -0600 X-Mailer: KMail [version 1.3.2] Cc: stable@freebsd.org References: <3.0.5.32.20020127075816.01831ca0@mail.sage-american.com> <200201271757.g0RHvTF12944@midway.uchicago.edu> <20020127.110854.32932954.imp@village.org> In-Reply-To: <20020127.110854.32932954.imp@village.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sunday 27 January 2002 12:08 pm, M. Warner Losh wrote: > : You yourself said that you're doing things that "don't fit in well with > : the current firewall paradigm." So they're hacks, and you shouldn't > : expect them to work indefinitely. > > I relied on documented behavior. Therefore I do expect it to work > indefinitely. The fact that something is documented doesn't mean it should remain unchanged. If a manpage has a bugs section, does this mean we shouldn't try to fix anything listed there? Docs are supposed to conform to programs, not the other way around. Warner maintains UPDATING, right? A change like this would go in there. That file is a list of changes to documented behavior. And we expect people to read it, especially if they've read enough docs to know the true meaning of firewall_enable. > The current behavior fails safe. The current behavior is documented. > I relied on that documentation when setting up my firewall. Now you > are wanting to change that documented behavior. It is that way > specifically so we fail safe. The current behavior also renders systems unusable. What good is having my web/mail server safe doing me if it can't process any mail or http requests? The default rc.conf says next to firewall_enable "Set to YES to enable firewall functionality," which implies that NO disables firewall functionality. Which is read "disables firewall", not "disables custom firewall scripts." I view the kernel as containing stuff that's _potentially_ used - I can have support in it for an ethernet card that's not installed. But the system doesn't hang looking for it. Anyway, the default rc.conf could have firewall_enable set to YES, which would make it "fail safe." -David Center for Cosmological Physics The University of Chicago To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message