Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Mar 2000 23:08:29 -0500
From:      Tom Legg <tjlegg@shore.net>
To:        Doug Barton <Doug@gorean.org>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Minor rc.network bug for 4.0 and ipfw
Message-ID:  <p04310101b5033a42d23f@[207.244.92.51]>
In-Reply-To: <38DD87C8.8D8FC976@gorean.org>
References:  <p04310101b5032cb2a0b9@[207.244.92.51]> <38DD87C8.8D8FC976@gorean.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 7:45 PM -0800 3/25/2000, Doug Barton wrote:
>Tom Legg wrote:
>
>>  The current situation creates a potential problem for 4.0 admins (at
>>  least I didn't notice it until I upgraded to the 4.0 kernel)
>
>	This situation hasn't changed. It's always been this way.
>
>>  If you compile a kernel with ipfw in the kernel but do nothing to
>>  modify /etc/defaults/rc.conf and boot, net.inet.ip.fw.enable is set
>>  to 1 and since the defaults for enable is NO, no further action is
>>  done upon the firewall scripts.
>
>	The theory is that a sysadmin who is enabling these options will have
>read the documentation and done what he can to properly prepare. For
>those who are concerned about foot shooting, the "default to accept"
>kernel option is available.
>
>	If you're really needing a secure firewall, it's more important that it
>is secure from boot, with or without the ability to read the rc scripts.
>If you don't need that level of security, other options are available to
>you.

No problems here really. But it does seem to be really silly then to 
have a default rc.conf firewall_enable flag set to "NO"  when the 
kernel flag default when compiled in is set to "YES".

In fact the current situation renders the rc.conf flag for 
firewall_enable mute. You might as well eliminate the flag and have 
/etc/rc.network check whether net.inet.ip.fw.enable=1 and go from 
there.

-- 
-----
Tom Legg
tjlegg@shore.net
http://www.shore.net/~tjlegg/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p04310101b5033a42d23f>