Date: Mon, 28 Jan 2002 12:10:17 -0800 (PST) From: Patrick Greenwell <patrick@stealthgeeks.net> To: Justin White <justinfinity@mac.com> Cc: freebsd-stable@FreeBSD.ORG Subject: re: firewall config (CTFM) Message-ID: <20020127231521.J87241-100000@rockstar.stealthgeeks.net> In-Reply-To: <12A141AE-13BD-11D6-876A-000393092F82@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Note: This was my last post on this issue as I find myself merely
repeating points that I've already made.(a cheer goes up from the
crowd...)
On Mon, 28 Jan 2002, Justin White wrote:
> instead of changing the way the system works, let's change the
> documentation. new people _should_ be reading the docs, and for people
> that already know, well, their existing configuration won't need to
> change a bit.
>
> in RELENG_4 from 5 Nov, /etc/defaults/rc.conf reads:
> -snip-
> firewall_enable="NO" # Set to YES to enable firewall functionality
> firewall_script="/etc/rc.firewall" # Which script to run to set up the
> firewall
> -snip-
>
> change the first line to read:
> firewall_enable="NO" # set to YES to enable running of the
> following firewall script
Wow, you've single-handedly suggested a change that solves absolutely
nothing, and clarifies absolutely nothing. We all know what setting
firewall_enable to yes does. The problem isn't that firewall_enable=yes
doesn't do something sane and/or isn't documented(it does and is), it's that
firewall_enable=no doesn't and the inconsistent behavior it exhibits isn't
documented. Note that if you don't have firewall capabilities compiled in
and you set firewall_enable=no, guess what, you end up with no firewall,
which is how the distro ships.
I'd call that behavior non-intuitive and confusing(firewall_enable=no
actually means no if you don't have firewalling compiled in, but it means
yes if you do have firewalling compiled in.)
> since they _should_ have already read about default-deny in the kernel
> config,
Oh you mean the one that says nothing absolutely nothing about the
firewall_enable option, and gives only partial information that if
followed as written will still result in someone being locked out of their
box?
> the rc.conf docs will remind them that the kernel's policy will
> stand without any rules being run.
> i'm not trying to be mean, but if you don't read the docs, you deserve
> the problems you get.
Ah yes, another jumper-on to the RTFM and the "you get what you
deserve" bandwagon. The only small problem your argument is that when telling
someone to RTFM, it's usually a good idea to make certain that there is
something to read. In this case there isn't.
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell
Stealthgeeks,LLC. Operations Consulting
http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127231521.J87241-100000>