From owner-freebsd-stable  Mon Jan 28 12:46:16 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from gscamnlm03.wr.usgs.gov (gscamnlm03.wr.usgs.gov [130.118.4.113])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1DD4037B402; Mon, 28 Jan 2002 12:46:06 -0800 (PST)
To: art@pilikia.net
Cc: "Erik Trulsson" <ertr1013@student.uu.se>,
	freebsd-stable@freebsd.org, owner-freebsd-stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 5.0.8  June 18, 2001
Message-ID: <OF718102BB.874211A1-ON88256B4F.0071FAAB@wr.usgs.gov>
From: "Robert L Sowders" <rsowders@usgs.gov>
Date: Mon, 28 Jan 2002 12:45:57 -0800
X-MIMETrack: Serialize by Router on gscamnlm03/SERVER/USGS/DOI(Release 5.0.8 |June 18, 2001) at
 01/28/2002 12:46:06 PM,
	Serialize complete at 01/28/2002 12:46:06 PM
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

You have obviously missed the beginning of this thread, check google to 
come up to speed





"Arthur W. Neilson III" <art@pilikia.net>
Sent by: owner-freebsd-stable@FreeBSD.ORG
01/28/2002 12:36 PM
Please respond to art

 
        To:     "Erik Trulsson" <ertr1013@student.uu.se>
        cc:     freebsd-stable@freebsd.org
        Subject:        Re: Firewall config non-intuitiveness

Right on.  I want my firewalls to protect by default, no dufus admin
typo can accidently expose us to intrusion.  Most security doctrines
adhere to the tenet of denying by default and allowing as needed 
instead of vice versa.  To allow by default is asking for trouble. 

On 1/28/02 at 8:29 PM Erik Trulsson wrote:
>
>So, while I agree the the current situation might not be quite as
>intuitive as it might be changing the behaviour of firewall_enable="NO"
>to actually disabling the firewall is, IMO, *not* the right way to fix
>this. 
>(If the admin went to the trouble of adding IPFIREWALL to the kernel,
>the default behaviour should be to not disable it.)

--
    __
   /  )    _/_  It is a capital mistake to theorise before one has data.
  /--/ __  /    Insensibly one begins to twist facts to suit theories,
 /  (_/ (_<__   Instead of theories to suit facts.
                     -- Sherlock Holmes, "A Scandal in Bohemia"
 Arthur W. Neilson III, WH7N - FISTS #7448
 Bank of Hawaii Network Services
 http://www.pilikia.net
 art@pilikia.net, aneilson@boh.com, wh7n@arrl.net



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message