Date: Mon, 28 Jan 2002 16:23:12 -0500 (EST) From: "C J Michaels" <cjm2@earthling.net> To: <n@nectar.cc> Cc: <stable@freebsd.org> Subject: Re: Proposed Solution To Recent 'firewall_enable' Thread. [Please Read] Message-ID: <2403.216.153.202.59.1012252992.squirrel@www1.27in.tv> In-Reply-To: <20020128205203.GE42996@madman.nectar.cc> References: <20020128205203.GE42996@madman.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
Jacques A. Vidrine said: > On Mon, Jan 28, 2002 at 03:18:53PM -0500, C J Michaels wrote: >> In light of all the recent ipfw hubub, I think I have a equitable >> solution for all. Most or all of these have been suggested by others, >> I am just trying to put them into one consice proposal. > > Thanks for the effort, CJ. > >> I am going to propose the following changes: >> 1. We rename the option to something like "firewall_load_rules" or >> "firewall_enable_rules", etc... Someone else can come up with a >> short yet more concise variable name. > > I don't see any value in renaming the knob for -STABLE. Renaming it > for -CURRENT might be useful. > Agreed, I forgot to mention this, but it was my intent. Unfortunately this seems to be happening more frequently as of late. >> 2. We grandfather in the old option of "firewall_enable" so existing >> rc.conf(5)'s are not broken. > > It is easier to ensure no breakage by not renaming it. :-) Despite the > chatter here, the current name has apparently caused little confusion > in the over 2 years that it has been around. > > That's not to say that it shouldn't be better documented. > >> 2b. At some point in the future, with much fanfare and documentation, >> and probably messages to FreeBSD-Security-Advisories we phase out >> the old option completely, so we don't keep a kludge in the >> system. > > Any requirement for fanfare and messages to security-notifications > should be a red flag that the change was too disruptive. Good point... I'm a bit torn as I believe this would be a beneficial change overall, but I am not fond of kludges in the base OS of any sort, it add more overhead and allows for configs that are easily broken, but not easily repaired when the kludge is gone. Hence my suggestion for fanfare. I'd prefer to not have the kludge at all, which I would believe is acceptable if this change didn't occur until 5.0 was released. > >> 4. Explicitly document the effect of both "YES" and "NO" in >> rc.conf(5). > > By golly, I think you've got it. :-) > Isn't it amazing what a mess one little question can make. :) > > For the record, I have no objection to renaming the knob in -STABLE as > Security Officer. I do not believe that renaming will endanger any > existing systems (/etc is untouched during upgrades unless the > administrator does an explicit merge). However, as a committer and > even as Joe User, I think it is an inappropriate change for the > -STABLE branch. Agreed again. I do think that this generated enough noise, even if it took 2 years to crop up, to point out that the current variables, and maybe even the whole rc.conf(5) could use an overhaul (as noted on your reply to Warner's other message). Mind you that sounds like quite an undertaking. The thing we have to consider here is that it's not "us", the people (Joe Experienced) who have working ipfw configurations, who understand the meaning of firewall_enable through trial and error, that would gain from this change. It is people who are either new to FreeBSD, or at least new to using ipfw (Joe Newbee) that stand to gain the most from this. Thanks! P.S. Has anyone worked on PR's to update the current documenation? > > Cheers, > -- > Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se -- Chris "I'll defend to the death your right to say that, but I never said I'd listen to it!" -- Tom Galloway with apologies to Voltaire To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2403.216.153.202.59.1012252992.squirrel>