Date: Sun, 27 Jan 2002 10:08:54 -1000 From: "Arthur W. Neilson III" <art@pilikia.net> To: freebsd-stable@freebsd.org Cc: "M. Warner Losh" <imp@village.org> Subject: Re: Firewall config non-intuitiveness Message-ID: <200201271008540790.0824F1AB@smtp> In-Reply-To: <20020127.052626.107682843.imp@village.org> References: <15443.44156.595426.139371@caddis.yogotech.com> <20020127.004656.53474822.imp@village.org> <20020127014848.F23259@blossom.cjclark.org> <20020127.052626.107682843.imp@village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree with this. I have specifically compiled in IP_FIREWALL
so that the firewall will default to deny. I would rather have my
firewall be a brick than wide open and depend on that behaviour
to protect us if the firewall loads without rules. The behaviour
is well documented as many have said and it is safe for us.
On 1/27/02 at 5:26 AM M. Warner Losh wrote:
>
>But I don't want it to fail unsafely. That's the part that I still do
>not like about the change and why I'm making a big deal out of it.
>This is a security feature that you are proposing that we depart from
>our long standing tradition and make fail unsafely.
>
>rc scipts shouldn't take things out of the kernel that people have
>specifically compiled into the kernel.
>
>Warner
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-stable" in the body of the message
--
__
/ ) _/_ It is a capital mistake to theorise before one has data.
/--/ __ / Insensibly one begins to twist facts to suit theories,
/ (_/ (_<__ Instead of theories to suit facts.
-- Sherlock Holmes, "A Scandal in Bohemia"
Arthur W. Neilson III, WH7N - FISTS #7448
Bank of Hawaii Network Services
http://www.pilikia.net
art@pilikia.net, aneilson@boh.com, wh7n@arrl.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201271008540790.0824F1AB>