From owner-freebsd-stable  Sun Jan 27 11:19:55 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from marvin.nildram.co.uk (marvin.nildram.co.uk [195.112.4.71])
	by hub.freebsd.org (Postfix) with SMTP id 5EB9637B402
	for <freebsd-stable@freebsd.org>; Sun, 27 Jan 2002 11:19:50 -0800 (PST)
Received: (qmail 24831 invoked from network); 27 Jan 2002 19:19:48 -0000
Received: from muttley.gotadsl.co.uk (HELO VicNBob) (213.208.123.26)
  by marvin.nildram.co.uk with SMTP; 27 Jan 2002 19:19:48 -0000
From: Matthew Whelan <muttley@gotadsl.co.uk>
To: freebsd-stable@freebsd.org
Date: Sun, 27 Jan 2002 19:19:46 -0000
X-Priority: 3 (Normal)
In-Reply-To: <200201271757.g0RHvTF12944@midway.uchicago.edu>
Message-Id: <3Z42NMCLH4XXSEATPZWZY2L8383GF.3c5452d2@VicNBob>
Subject: Re: Firewall config non-intuitiveness
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Mailer: Opera 6.0 build 1010
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

27/01/2002 17:57:32, David Syphers <dsyphers@uchicago.edu> wrote:

>On Sunday 27 January 2002 11:27 am, M. Warner Losh wrote:
>> Right now what I have works.  You are changing the semantics of a
>> security related feature of the system in such a way that after this
>> change what I have will not work.  I agree that your work around will
>> allow me to easily correct things.  However, if I fail to do so, I
>> open my firewall up completely.  To me, that's an unacceptible change
>> in the API.

I'm kinda with Warner on this one :) There's also the question of the gap 
between initial install and constructing the firewall rules... admittedly 
there's no good reason to have the box plugged in at this point but people 
may forget to take it out after nfs/ftp installing.

>As others have pointed out this behavior is 
>documented, but we must remember that a variable name itself is the most 
>important and immediate documentation.  And having a firewall load when 
>firewall_enable is NO is complete nonsense.

Well, this is a good point. The point it raises is that the variable name is 
wrong. In the case of compiled-in firewall, the behaviour is 
'apply_firewall_rules' not 'firewall_enable'. The proposed change would make 
'firewall_enable=NO' behave not like it reads but as 'firewall_disable=YES'.

Compiling the firewall into your kernel and then having rc remove it *would 
be* a complete nonsense.

Matthew



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message