Date: Mon, 28 Jan 2002 23:47:19 -0000 From: Matthew Whelan <muttley@gotadsl.co.uk> To: "M. Warner Losh" <imp@village.org>, nate@yogotech.com (Nate Williams) Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <WUGBZWMHRGEYT651X5Y1ZMISOZWLJ94.3c55e307@VicNBob> In-Reply-To: <15445.48617.802871.870971@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
28/01/2002 21:08:57, Nate Williams <nate@yogotech.com> wrote:
>> How about renaming things a little more:
>>
>> ipfw_load_rules={yes,no}
>> ipfw_disable_firewall={yes,no}
>> ipfw_kldload={yes,no}
>
>I don't mind the first two, but I dislike the third for the following
>reasons.
>
>1) We are moving (slowly) to a kernel where things are loaded
> 'automagically'. In other words, the user shouldn't have to
> explicitly load a module if it's being used. (All of the network
> adapters are moving in this direction.)
>
>2) If possible (I've not analyzed this), it would be nice that if the
> firewall is 'enabled' (second variable), the script would determine
> *IF* the firewall module is in the kernel or not (like is done with
> the current network adapter modules), and if not, load it.
My ?0.02:
ipfw_load_rules could happily continue to work as it does at current (auto-
load the module if it's needed)
ipfw_disable_firewall shouldn't exist - nowhere else does rc knockout kernel
code like this, and to me, such behaviour is NOT something that should
happen in boot-time scripts. You have to make some effort to compile ipfw
in, if you have done so, it should be assumed that you want to keep it in.
This should not be needed anyway, as the renaming of firewall_enable ->
ipfw_load_rules should destroy the misunderstanding that bites people.
ipfw_kldload would therefore only be needed (a) for people who wanted to
default-deny and have the module loaded before the interfaces are
configured, or (b) for people who wanted effectively to have
firewall_type=closed, by another route. It would have to be noted that
ipfw_load_rules could still force a kldload even if this was no... or
perhaps this could be a tri-state, YES/NO/NEVER, with the three behaviours
being fairly obvious I think :)
Would you also rename the other firewall_* variables accordingly?
Isn't this starting to get a bit big a change for -STABLE? (unless you have
an interim rc.network that understands both the old and new, translates old
to new, and flashes a big warning that you change, or something :)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?WUGBZWMHRGEYT651X5Y1ZMISOZWLJ94.3c55e307>