Date: Sun, 27 Jan 2002 05:26:26 -0700 (MST) From: "M. Warner Losh" <imp@village.org> To: cjc@FreeBSD.ORG Cc: nate@yogotech.com, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020127.052626.107682843.imp@village.org> In-Reply-To: <20020127014848.F23259@blossom.cjclark.org> References: <15443.44156.595426.139371@caddis.yogotech.com> <20020127.004656.53474822.imp@village.org> <20020127014848.F23259@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <20020127014848.F23259@blossom.cjclark.org> "Crist J. Clark" <cjc@FreeBSD.ORG> writes: : Warner, if the proposed change were to be made, you could get the same : effect by doing, : : firewall_enable="YES" : firewall_script="/dev/null" : : Which I think more accurately describes the behavior you want (if : someone were to browse the rc.conf and try to understand your : configuration, they'd be more likely to understand what you are trying : to do if they saw the above). You want to enable firewalling, but : don't want to load any rules. But I don't want it to fail unsafely. That's the part that I still do not like about the change and why I'm making a big deal out of it. This is a security feature that you are proposing that we depart from our long standing tradition and make fail unsafely. rc scipts shouldn't take things out of the kernel that people have specifically compiled into the kernel. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127.052626.107682843.imp>