Date: Mon, 28 Jan 2002 14:57:21 -0600 From: "Jacques A. Vidrine" <n@nectar.cc> To: "M. Warner Losh" <imp@village.org> Cc: cjm2@earthling.net, stable@freebsd.org Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <20020128205721.GF42996@madman.nectar.cc> In-Reply-To: <20020128.135120.11184725.imp@village.org> References: <20020128192930.GA86720@student.uu.se> <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv> <20020128.135120.11184725.imp@village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 28, 2002 at 01:51:20PM -0700, M. Warner Losh wrote:
> How about renaming things a little more:
I almost wrote in another message that should someone decide to rename
the knob, I hope that they will take into account the entire rc system
and make sure that the names are consistent. If `firewall_enable' can
be improved upon, I'm sure other knobs can, too.
> ipfw_load_rules={yes,no}
> ipfw_disable_firewall={yes,no}
> ipfw_kldload={yes,no}
>
> ipfw_load_rules would load ipfw rules, like firewall_enable does now.
> ipfw_disable_firewall breaks symetry on purpose, and would disable all
> ipfw functionality that may be compiled into the kernel. Since this
> is fairly explicit, it can default to no and if someone sets it to
> yes, they know what to expect without the current ambiguous situation
> (yes, it is ambiguous, which is why we're arguing about it). I know
> that all other foo_enable stuff uses the form foo_enable, but that
> is ambiguous in this case since there are two parts.
This is why I think all the names need to be re-examined. A better
scheme would probably result.
What we have is (IMHO) sufficient ... but there is room for
improvement.
> ipfw_kldload would allow kld the ipfw.ko module. It would default to
> no.
There could be a whole series of such knobs, parallel to those we use
in /boot/defaults/loader.conf.
> Note: There would be no ipfw_enable.
>
> We should then deprecate firewall_*. We have two firewall systems in
> the kernel (ipfw and ipfilter). We shouldn't be favoring one by
> calling it firewall and the other as ipfilter. No one is advocating
> disabling ipfilter also when firewall_enable=NO, are they?
Yeah, no kidding. I use ipfilter. ;-)
Cheers,
--
Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128205721.GF42996>