From owner-freebsd-stable Mon Jan 28 12:26:19 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id E2CFB37B400 for ; Mon, 28 Jan 2002 12:26:15 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA04868; Mon, 28 Jan 2002 13:26:04 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0SKQ3V69881; Mon, 28 Jan 2002 13:26:03 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15445.46043.85910.572903@caddis.yogotech.com> Date: Mon, 28 Jan 2002 13:26:03 -0700 To: Chad David Cc: Patrick Greenwell , "Robert D. Hughes" , Nate Williams , Justin White , freebsd-stable@FreeBSD.ORG Subject: Re: firewall config (CTFM) In-Reply-To: <20020128132015.A66369@colnta.acns.ab.ca> References: <20020128113806.O95859-100000@rockstar.stealthgeeks.net> <20020128132015.A66369@colnta.acns.ab.ca> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Could you please explain how the following makes sense? > > 1) I enable ipfw in my kernel > 2) I do not configure it to allow by default > 3) I reboot with firewall_enable="NO" > 4) The firewall defaults to allow > > If I set the default in my kernel config to deny, then that is exactly > what I want it to do. If I want it to allow by default then that is > what I will put in the kernel config. Can you give me a *REAL WORLD* example of when you would want this sort of setup once a box has been configured? (Seriously). Don't give me straw-man (if the box wasn't configured, etc...), since you could just as easily enable the firewall and it behaves the same. Basically, if you have a firewall, firewall_enable="NO" == firewall_enable="YES" if you don't touch /etc/rc.firewall or /etc/rc.firewall_script. > What you are asking for is that the firewall code not be enabled in the > kernel (same as allow ip from any to any), which goes against your > previous wishes when you compiled it into your kernel. Perhaps neither > is obvious, but who gets to win?. Why did you compile in the firewall if you don't want it enabled? In any case, the people arguing against are arguing for the sake of keeping past behavior, regardless of how logical it should be. "Let's keep those bugs, cause I've grown accustomed to them so long that I now expect them to be there. Screw any new users who want to use the system!" Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message