From owner-freebsd-stable  Mon Jan 28 12:47:30 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mail.acns.ab.ca (mail.acns.ab.ca [142.179.151.95])
	by hub.freebsd.org (Postfix) with ESMTP id 463FD37B404
	for <freebsd-stable@FreeBSD.ORG>; Mon, 28 Jan 2002 12:47:26 -0800 (PST)
Received: from colnta.acns.ab.ca (colnta.acns.ab.ca [192.168.1.2])
	by mail.acns.ab.ca (8.11.6/8.11.3) with ESMTP id g0SKlHV18812;
	Mon, 28 Jan 2002 13:47:17 -0700 (MST)
	(envelope-from davidc@colnta.acns.ab.ca)
Received: (from davidc@localhost)
	by colnta.acns.ab.ca (8.11.6/8.11.3) id g0SKlHk66538;
	Mon, 28 Jan 2002 13:47:17 -0700 (MST)
	(envelope-from davidc)
Date: Mon, 28 Jan 2002 13:47:17 -0700
From: Chad David <davidc@acns.ab.ca>
To: "Jacques A. Vidrine" <n@nectar.cc>, freebsd-stable@FreeBSD.ORG
Subject: Re: firewall config (CTFM)
Message-ID: <20020128134717.F66369@colnta.acns.ab.ca>
Mail-Followup-To: "Jacques A. Vidrine" <n@nectar.cc>,
	freebsd-stable@FreeBSD.ORG
References: <B95B566BD245174196CA4EE29E5818831B6469@HEXCH01.robhughes.com> <20020128113806.O95859-100000@rockstar.stealthgeeks.net> <20020128132015.A66369@colnta.acns.ab.ca> <20020128203640.GB42996@madman.nectar.cc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020128203640.GB42996@madman.nectar.cc>; from n@nectar.cc on Mon, Jan 28, 2002 at 02:36:40PM -0600
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Mon, Jan 28, 2002 at 02:36:40PM -0600, Jacques A. Vidrine wrote:
> On Mon, Jan 28, 2002 at 01:20:15PM -0700, Chad David wrote:
> > One of the things I would recommend documenting very clearly is that
> > you DO NOT NEED TO COMPILE IPFW INTO THE KERNEL.  
> 
> Except if you want to default to deny, you must [1].  The rc system
> loads the firewall after configuring your interfaces.  This may be a
> bug.

Hmmm, possibly.  But given that this is exactly the behavior that is
being argued for I'm not sure I'd call it a bug.  If you want rc.conf
to be able to disable or enable the actual firewall code then this is
something that you have to live with, unless it defaults to deny and when
== "NO" is found it disables it, but the if you for some reason make a
mistake you are locked out (which I like), and that was at least one of
the problems people have had with the current way things work.

-- 
Chad David        davidc@acns.ab.ca
www.FreeBSD.org   davidc@freebsd.org
ACNS Inc.         Calgary, Alberta Canada
Fourthly, The constant breeders, beside the gain of eight shillings
sterling per annum by the sale of their children, will be rid of the
charge of maintaining them after the first year. - Johnathan Swift

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message