From owner-freebsd-arch Thu Jan 24 23:54:39 2002 Delivered-To: freebsd-arch@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 76D9637B400; Thu, 24 Jan 2002 23:54:30 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g0P7sLP58478; Fri, 25 Jan 2002 09:54:21 +0200 (EET) (envelope-from ru) Date: Fri, 25 Jan 2002 09:54:21 +0200 From: Ruslan Ermilov To: "Crist J. Clark" Cc: arch@FreeBSD.ORG Subject: Re: Changing rc.conf(5) firewall_enable Message-ID: <20020125095421.B57703@sunbay.com> References: <20020124222225.O87663@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020124222225.O87663@blossom.cjclark.org> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jan 24, 2002 at 10:22:25PM -0800, Crist J. Clark wrote: > Patrick Greenwell brought up a good point > on -stable. The rc.conf(5) knob, firewall_enable, does not exactly > behave in the manner the novice (or not-so-novice) might expect. When > it is set to "YES," the ipfw.ko module is loaded if firewalling is not > built into the kernel, and the firewall configuration scripts are run. > However, if 'firewall_enable="NO",' it does not disable the > firewall. > > I do not see any reason why 'firewall_enable="NO"' should not actually > disable firewalling built into the kernel by setting, > > sysctl net.inet.ip.fw.enable=0 > > This seems to make more sense given the name, firewall_enable, and it > also seems more useful. > > IMHO, this should be the behavior in -CURRENT for sure. In -STABLE, I > think it would be OK too. A machine with firewalling built into the > kernel and firewall_enable not "YES" is almost useless (if it is > not built with IPFIREWALL_DEFAULT_TO_ACCEPT). I don't think there are > an machines out there running with firewalling built into the kernel > with 'firewall_enable="NO"' who will have their security affected by > such a change. > > Other opinions? Pro? Con? > Please count me in for this change. Seems you've managed to get rid of that extra space. :-) Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message