From owner-freebsd-stable  Sun Jan 27  4:26:51 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from rover.village.org (rover.bsdimp.com [204.144.255.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id 802A737B400; Sun, 27 Jan 2002 04:26:42 -0800 (PST)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.11.3/8.11.3) with ESMTP id g0RCQfo11776;
	Sun, 27 Jan 2002 05:26:41 -0700 (MST)
	(envelope-from imp@village.org)
Received: from localhost (warner@rover2.village.org [10.0.0.1])
	by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0RCQex80232;
	Sun, 27 Jan 2002 05:26:41 -0700 (MST)
	(envelope-from imp@village.org)
Date: Sun, 27 Jan 2002 05:26:26 -0700 (MST)
Message-Id: <20020127.052626.107682843.imp@village.org>
To: cjc@FreeBSD.ORG
Cc: nate@yogotech.com, stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness
From: "M. Warner Losh" <imp@village.org>
In-Reply-To: <20020127014848.F23259@blossom.cjclark.org>
References: <15443.44156.595426.139371@caddis.yogotech.com>
	<20020127.004656.53474822.imp@village.org>
	<20020127014848.F23259@blossom.cjclark.org>
X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

In message: <20020127014848.F23259@blossom.cjclark.org>
            "Crist J. Clark" <cjc@FreeBSD.ORG> writes:
: Warner, if the proposed change were to be made, you could get the same
: effect by doing,
: 
:   firewall_enable="YES"
:   firewall_script="/dev/null"
: 
: Which I think more accurately describes the behavior you want (if
: someone were to browse the rc.conf and try to understand your
: configuration, they'd be more likely to understand what you are trying
: to do if they saw the above). You want to enable firewalling, but
: don't want to load any rules.

But I don't want it to fail unsafely.  That's the part that I still do
not like about the change and why I'm making a big deal out of it.
This is a security feature that you are proposing that we depart from
our long standing tradition and make fail unsafely.

rc scipts shouldn't take things out of the kernel that people have
specifically compiled into the kernel.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message