Date: Mon, 28 Jan 2002 07:51:14 -0600 From: "Jacques A. Vidrine" <n@nectar.cc> To: charon@seektruth.org Cc: security-officer@freebsd.org, stable@freebsd.org Subject: Re: Firewall config non-intuitiveness Message-ID: <20020128135114.GG33952@madman.nectar.cc> In-Reply-To: <200201271853.g0RIrVF03620@midway.uchicago.edu> References: <3.0.5.32.20020127075816.01831ca0@mail.sage-american.com> <200201271757.g0RHvTF12944@midway.uchicago.edu> <20020127.110854.32932954.imp@village.org> <200201271853.g0RIrVF03620@midway.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jan 27, 2002 at 12:53:34PM -0600, David Syphers wrote: > The fact that something is documented doesn't mean it should remain > unchanged. No, it doesn't. There's no single `fact' that makes a change acceptable or not. > If a manpage has a bugs section, does this mean we shouldn't try > to fix anything listed there? Docs are supposed to conform to programs, not > the other way around. Warner maintains UPDATING, right? A change like this > would go in there. That file is a list of changes to documented behavior. > And we expect people to read it, especially if they've read enough docs to > know the true meaning of firewall_enable. At least within a release (e.g. 4.x), we try to avoid changing defaults that would result in existing administrators shooting themselves in the foot. > The current behavior also renders systems unusable. What good is having my > web/mail server safe doing me if it can't process any mail or http > requests? When you fix it, you will not have the additional worry that it has been comprimised because your firewall rules weren't loaded. > The default rc.conf says next to firewall_enable "Set to YES to enable > firewall functionality," which implies that NO disables firewall > functionality. I never read it that way, but I can understand your point. > Which is read "disables firewall", not "disables custom > firewall scripts." I view the kernel as containing stuff that's > _potentially_ used - I can have support in it for an ethernet card > that's not > installed. But the system doesn't hang looking for it. > > Anyway, the default rc.conf could have firewall_enable set to YES, which > would make it "fail safe." I missed the beginning of this thread. If anybody still actually cares, will they please follow Warner's suggestion and post a concise summary to <security-officer@freebsd.org>? Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128135114.GG33952>