Date: Sun, 27 Jan 2002 12:01:38 -0700 (MST) From: "M. Warner Losh" <imp@village.org> To: charon@seektruth.org, dsyphers@uchicago.edu Cc: security-officer@freebsd.org, stable@freebsd.org Subject: Re: Firewall config non-intuitiveness Message-ID: <20020127.120138.07163985.imp@village.org> In-Reply-To: <200201271853.g0RIrVF03620@midway.uchicago.edu> References: <200201271757.g0RHvTF12944@midway.uchicago.edu> <20020127.110854.32932954.imp@village.org> <200201271853.g0RIrVF03620@midway.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <200201271853.g0RIrVF03620@midway.uchicago.edu>
David Syphers <dsyphers@uchicago.edu> writes:
: On Sunday 27 January 2002 12:08 pm, M. Warner Losh wrote:
: > : You yourself said that you're doing things that "don't fit in well with
: > : the current firewall paradigm." So they're hacks, and you shouldn't
: > : expect them to work indefinitely.
: >
: > I relied on documented behavior. Therefore I do expect it to work
: > indefinitely.
:
: The fact that something is documented doesn't mean it should remain
: unchanged. If a manpage has a bugs section, does this mean we shouldn't try
: to fix anything listed there? Docs are supposed to conform to programs, not
: the other way around. Warner maintains UPDATING, right? A change like this
: would go in there. That file is a list of changes to documented behavior.
: And we expect people to read it, especially if they've read enough docs to
: know the true meaning of firewall_enable.
Yes. I do maintain UPDATING and do know what it is for :-). I'm
saying that FreeBSD shouldn't make these changes because it is unsafe.
: > The current behavior fails safe. The current behavior is documented.
: > I relied on that documentation when setting up my firewall. Now you
: > are wanting to change that documented behavior. It is that way
: > specifically so we fail safe.
:
: The current behavior also renders systems unusable. What good is having my
: web/mail server safe doing me if it can't process any mail or http requests?
: The default rc.conf says next to firewall_enable "Set to YES to enable
: firewall functionality," which implies that NO disables firewall
: functionality. Which is read "disables firewall", not "disables custom
: firewall scripts." I view the kernel as containing stuff that's
: _potentially_ used - I can have support in it for an ethernet card
: that's not installed. But the system doesn't hang looking for it.
Rendering the system unusable is fail safe.
: Anyway, the default rc.conf could have firewall_enable set to YES, which
: would make it "fail safe."
No. That's not fail safe. My machine will still break in an
unacceptible way by this change.
Please write up the exact details that you want to do so that those on
security-officer know exactly what you are proposing. It is my
understanding that you want to make enable_firewall=NO totally dyke
out the firewall that was compiled into the kernel and be a totally
open realy. I know that this breaks at least one machine that I have,
but I also know that this breaks our current fail-safe behavior, which
I'm strongly opposed to.
However, I think I've become too embroiled in this issue, which is why
I want the fine folks at security-officer@ to evaluate it (since I'm
on that list, I'll refrain from doing more than stating my position).
It just doesn't seem right to me.
Warner
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127.120138.07163985.imp>