From owner-freebsd-stable Mon Jan 28 13: 9:10 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 803C637B400 for ; Mon, 28 Jan 2002 13:09:02 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id OAA06645; Mon, 28 Jan 2002 14:08:58 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0SL8w070437; Mon, 28 Jan 2002 14:08:58 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15445.48617.802871.870971@caddis.yogotech.com> Date: Mon, 28 Jan 2002 14:08:57 -0700 To: "M. Warner Losh" Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] In-Reply-To: <20020128.135120.11184725.imp@village.org> References: <20020128192930.GA86720@student.uu.se> <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv> <20020128.135120.11184725.imp@village.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > How about renaming things a little more: > > ipfw_load_rules={yes,no} > ipfw_disable_firewall={yes,no} > ipfw_kldload={yes,no} I don't mind the first two, but I dislike the third for the following reasons. 1) We are moving (slowly) to a kernel where things are loaded 'automagically'. In other words, the user shouldn't have to explicitly load a module if it's being used. (All of the network adapters are moving in this direction.) 2) If possible (I've not analyzed this), it would be nice that if the firewall is 'enabled' (second variable), the script would determine *IF* the firewall module is in the kernel or not (like is done with the current network adapter modules), and if not, load it. This obviates the need for the third rule. That being said, I'd argue for a rename of rule 2 to 'ipfw_enable_firewall', which when set to 'YES', loads the firewall capability (if necessary) and ensures that it's sysctl is set correctly. If set to NO, simply disables the sysctl if it exists (no need to unload the module in the startup scripts, IMO). The default behavior of the firewall would be related to how it was configured statically in the kernel, or how the module was created. No more confusion. (Also, another reason for 'enable' vs. 'disable' is it's more connsistent with the other variables we are using in the rc.conf file.) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message