Date: Thu, 24 Jan 2002 22:22:25 -0800 From: "Crist J. Clark" <cjc@freebsd.org> To: arch@freebsd.org Subject: Changing rc.conf(5) firewall_enable Message-ID: <20020124222225.O87663@blossom.cjclark.org>
index | next in thread | raw e-mail
Patrick Greenwell <patrick@stealthgeeks.net> brought up a good point
on -stable. The rc.conf(5) knob, firewall_enable, does not exactly
behave in the manner the novice (or not-so-novice) might expect. When
it is set to "YES," the ipfw.ko module is loaded if firewalling is not
built into the kernel, and the firewall configuration scripts are run.
However, if 'firewall_enable="NO",' it does not disable the
firewall.
I do not see any reason why 'firewall_enable="NO"' should not actually
disable firewalling built into the kernel by setting,
sysctl net.inet.ip.fw.enable=0
This seems to make more sense given the name, firewall_enable, and it
also seems more useful.
IMHO, this should be the behavior in -CURRENT for sure. In -STABLE, I
think it would be OK too. A machine with firewalling built into the
kernel and firewall_enable not "YES" is almost useless (if it is
not built with IPFIREWALL_DEFAULT_TO_ACCEPT). I don't think there are
an machines out there running with firewalling built into the kernel
with 'firewall_enable="NO"' who will have their security affected by
such a change.
Other opinions? Pro? Con?
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020124222225.O87663>