From owner-freebsd-stable Mon Jan 28 12:14:51 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id CE69637B402 for ; Mon, 28 Jan 2002 12:14:43 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g0SKEdo19363; Mon, 28 Jan 2002 13:14:39 -0700 (MST) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0SKETx12129; Mon, 28 Jan 2002 13:14:29 -0700 (MST) (envelope-from imp@village.org) Date: Mon, 28 Jan 2002 13:14:14 -0700 (MST) Message-Id: <20020128.131414.49257581.imp@village.org> To: nate@yogotech.com Cc: ertr1013@student.uu.se, cjm2@earthling.net, charon@seektruth.org, dsyphers@uchicago.edu, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness From: "M. Warner Losh" In-Reply-To: <15445.44102.288461.155113@caddis.yogotech.com> References: <1617.216.153.202.59.1012240332.squirrel@www1.27in.tv> <20020128192930.GA86720@student.uu.se> <15445.44102.288461.155113@caddis.yogotech.com> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message: <15445.44102.288461.155113@caddis.yogotech.com> Nate Williams writes: : If I enable the clutch in my car, my car moves (assuming it's in gear). : If I disable it, the power is no longer going to the drive wheels. That's not quite right, but it is a good analogy. If you disable your clutch, then you are going to have to shift without it and deal with putting it into gear at stops. If you enable your clutch, then you can use it to help in shifting. This isn't quite the same as what you said, and an analogous condition exists with the firewall rules. If you engage your clutch, then you can shift. If you disengage your clutch then your car will go if it is gear (and won't if it isn't). Also, when you enable apm, you aren't enabling power management. That's done in the BIOS. You are enabling the OS using the power management. If you set apm_enable to NO, then the OS doesn't enable power management, but at the same time it doesn't go down to the BIOS to turn off the power management settings in the BIOS. The effects in this case are almost identical, but some BIOSes will still spin down the hard disk, etc even when APM isn't engaged. When you say sendmail_enable=no, it doesn't prevent another mailer from binding to port 25. It just fails to start sendmail, which is the default behavior for the system. If you have sendmail_enable=NO, it doesn't go through and delete the mail queue, or make it impossible to run sendmail from a cron job. I'd argue that the firewall_enable is poorly named, but does the same thing. At most we should rename it to ipfw_maybe_load_ipfw_and_then_load_rules to be 100% correct. firewall_enable=YES means, right now: 1) If ipfw isn't in the kernel, load it. 2) load the rules firewall_enable=NO means do nothing. Same as when sendmail_enable=NO. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message