From owner-freebsd-stable Mon Jan 28 12:57:29 2002 Delivered-To: freebsd-stable@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 37E7C37B402 for ; Mon, 28 Jan 2002 12:57:22 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id C1CE258; Mon, 28 Jan 2002 14:57:21 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g0SKvL043250; Mon, 28 Jan 2002 14:57:21 -0600 (CST) (envelope-from nectar) Date: Mon, 28 Jan 2002 14:57:21 -0600 From: "Jacques A. Vidrine" To: "M. Warner Losh" Cc: cjm2@earthling.net, stable@freebsd.org Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <20020128205721.GF42996@madman.nectar.cc> References: <20020128192930.GA86720@student.uu.se> <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv> <20020128.135120.11184725.imp@village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020128.135120.11184725.imp@village.org> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 28, 2002 at 01:51:20PM -0700, M. Warner Losh wrote: > How about renaming things a little more: I almost wrote in another message that should someone decide to rename the knob, I hope that they will take into account the entire rc system and make sure that the names are consistent. If `firewall_enable' can be improved upon, I'm sure other knobs can, too. > ipfw_load_rules={yes,no} > ipfw_disable_firewall={yes,no} > ipfw_kldload={yes,no} > > ipfw_load_rules would load ipfw rules, like firewall_enable does now. > ipfw_disable_firewall breaks symetry on purpose, and would disable all > ipfw functionality that may be compiled into the kernel. Since this > is fairly explicit, it can default to no and if someone sets it to > yes, they know what to expect without the current ambiguous situation > (yes, it is ambiguous, which is why we're arguing about it). I know > that all other foo_enable stuff uses the form foo_enable, but that > is ambiguous in this case since there are two parts. This is why I think all the names need to be re-examined. A better scheme would probably result. What we have is (IMHO) sufficient ... but there is room for improvement. > ipfw_kldload would allow kld the ipfw.ko module. It would default to > no. There could be a whole series of such knobs, parallel to those we use in /boot/defaults/loader.conf. > Note: There would be no ipfw_enable. > > We should then deprecate firewall_*. We have two firewall systems in > the kernel (ipfw and ipfilter). We shouldn't be favoring one by > calling it firewall and the other as ipfilter. No one is advocating > disabling ipfilter also when firewall_enable=NO, are they? Yeah, no kidding. I use ipfilter. ;-) Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message