Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Jan 2002 05:26:26 -0700 (MST)
From:      "M. Warner Losh" <imp@village.org>
To:        cjc@FreeBSD.ORG
Cc:        nate@yogotech.com, stable@FreeBSD.ORG
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020127.052626.107682843.imp@village.org>
In-Reply-To: <20020127014848.F23259@blossom.cjclark.org>
References:  <15443.44156.595426.139371@caddis.yogotech.com> <20020127.004656.53474822.imp@village.org> <20020127014848.F23259@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help
In message: <20020127014848.F23259@blossom.cjclark.org>
            "Crist J. Clark" <cjc@FreeBSD.ORG> writes:
: Warner, if the proposed change were to be made, you could get the same
: effect by doing,
: 
:   firewall_enable="YES"
:   firewall_script="/dev/null"
: 
: Which I think more accurately describes the behavior you want (if
: someone were to browse the rc.conf and try to understand your
: configuration, they'd be more likely to understand what you are trying
: to do if they saw the above). You want to enable firewalling, but
: don't want to load any rules.

But I don't want it to fail unsafely.  That's the part that I still do
not like about the change and why I'm making a big deal out of it.
This is a security feature that you are proposing that we depart from
our long standing tradition and make fail unsafely.

rc scipts shouldn't take things out of the kernel that people have
specifically compiled into the kernel.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127.052626.107682843.imp>