Date: Mon, 28 Jan 2002 13:41:27 -0700 From: Chad David <davidc@acns.ab.ca> To: Nate Williams <nate@yogotech.com> Cc: Patrick Greenwell <patrick@stealthgeeks.net>, "Robert D. Hughes" <rob@robhughes.com>, Justin White <justinfinity@mac.com>, freebsd-stable@FreeBSD.ORG Subject: Re: firewall config (CTFM) Message-ID: <20020128134127.E66369@colnta.acns.ab.ca> In-Reply-To: <15445.46043.85910.572903@caddis.yogotech.com>; from nate@yogotech.com on Mon, Jan 28, 2002 at 01:26:03PM -0700 References: <B95B566BD245174196CA4EE29E5818831B6469@HEXCH01.robhughes.com> <20020128113806.O95859-100000@rockstar.stealthgeeks.net> <20020128132015.A66369@colnta.acns.ab.ca> <15445.46043.85910.572903@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 28, 2002 at 01:26:03PM -0700, Nate Williams wrote: > > Could you please explain how the following makes sense? > > > > 1) I enable ipfw in my kernel > > 2) I do not configure it to allow by default > > 3) I reboot with firewall_enable="NO" > > 4) The firewall defaults to allow > > > > If I set the default in my kernel config to deny, then that is exactly > > what I want it to do. If I want it to allow by default then that is > > what I will put in the kernel config. > > Can you give me a *REAL WORLD* example of when you would want this sort > of setup once a box has been configured? (Seriously). I actually do this all of the time when I do updates on my gateway. I drop the security level, disable the firewall and reboot. After that I install the new kernel etc., reset everything and reboot again (to test it). I wouldn't object to being told, "use firewall_type="CLOSED" as firewall_enable="NO" disables the firewall code", but this would have to be well documented, and probably introducted into current, and not stable. > > Don't give me straw-man (if the box wasn't configured, etc...), since > you could just as easily enable the firewall and it behaves the same. > > Basically, if you have a firewall, firewall_enable="NO" == > firewall_enable="YES" if you don't touch /etc/rc.firewall or > /etc/rc.firewall_script. As I pointed out in my other email to you, what are we enabling and disabling? By the documentation not the code, but the rules. Again, I don't have a problem with this changing, as long is it is documented and introduced into the correct branch. > > > What you are asking for is that the firewall code not be enabled in the > > kernel (same as allow ip from any to any), which goes against your > > previous wishes when you compiled it into your kernel. Perhaps neither > > is obvious, but who gets to win?. > > Why did you compile in the firewall if you don't want it enabled? Thats my question :). > > In any case, the people arguing against are arguing for the sake of > keeping past behavior, regardless of how logical it should be. > > "Let's keep those bugs, cause I've grown accustomed to them so long that > I now expect them to be there. Screw any new users who want to use the > system!" > I'm not, I just want to make sure we are all on the same page while we argue; otherwise, we will never agree and all of this is for nothing (if I wanted that I would join the Linux kernel mailing lists). -- Chad David davidc@acns.ab.ca www.FreeBSD.org davidc@freebsd.org ACNS Inc. Calgary, Alberta Canada Fourthly, The constant breeders, beside the gain of eight shillings sterling per annum by the sale of their children, will be rid of the charge of maintaining them after the first year. - Johnathan Swift To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128134127.E66369>