From owner-freebsd-stable Mon Jan 28 21:14: 0 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 4A71A37B416 for ; Mon, 28 Jan 2002 21:13:54 -0800 (PST) Received: (qmail 4878 invoked by uid 0); 29 Jan 2002 05:13:52 -0000 Received: from pd9508863.dip.t-dialin.net (HELO mail.gsinet.sittig.org) (217.80.136.99) by mail.gmx.net (mp005-rz3) with SMTP; 29 Jan 2002 05:13:52 -0000 Received: (qmail 32621 invoked from network); 28 Jan 2002 23:44:23 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 28 Jan 2002 23:44:23 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id g0SNiFm32608 for stable@FreeBSD.ORG; Tue, 29 Jan 2002 00:44:15 +0100 (CET) (envelope-from sittig) Date: Tue, 29 Jan 2002 00:44:15 +0100 From: Gerhard Sittig To: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020129004415.F1494@shell.gsinet.sittig.org> Mail-Followup-To: stable@FreeBSD.ORG References: <15445.44102.288461.155113@caddis.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drais@wow.atlasta.net on Mon, Jan 28, 2002 at 12:17:32PM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 28, 2002 at 12:17 -0800, David Raistrick wrote: > > It IS confusing though. > > Especially when man rc.conf says: > > firewall_enable (bool) Set to ``NO'' if you do not want have firewall > rules loaded at startup, or ``YES'' if you do. > > that sort of implies that it would disable it...but only an > implication. Huh? `uname -sr` please! :) You must have been in front of a different system. Consulting a running "FreeBSD 4.4-STABLE" as well as the -CURRENT source for "$FreeBSD: src/share/man/man5/rc.conf.5,v 1.149 2002/01/21 10:28:18 mpp Exp $" I haven't seen anything different from firewall_enable (bool) Set to ``YES'' to load firewall rules at startup. If the kernel was not built with IPFIREWALL, the ipfw ker- nel module will be loaded. See also ipfilter_enable. I didn't feel too much like replying again in the thread since all the points seem to have been made. The thread mostly seems to continue for the purpose of counting votes. So I try to put my view here while inviting those who search for a solution, too, to followup to the PR I filed (http://www.freebsd.org/cgi/query-pr.cgi?pr=34355). I'm still not convinced that reinterpreting a "leave it alone, I know better" as "magically disable things for me, since I might want you to do so" is a good idea. This kind of sounds like the Windows approach to me where assistants try to guess what the user meant. This change in meaning is especially bad when the things to be disabled explicitely have been introduced into the system, have security impact and should guard a machine (i.e. disabling them weakens the machine). What would we do next? Automatically enable routing as soon as more than one NIF becomes available? Go the SuSE route and automatically start X just because it gets installed on disk? Oops, I'm side stepping ... Sorry, but I (strongly) feel that disabling a packet filter should have to be done in a more explicit way than just leaving a variable at its default setting (remember: there's no way of knowing if the admin said "NO" or if this is left from the /etc/defaults/rc.conf script). Especially when the filter was compiled into the kernel upon the admin's explicit request. We are not talking about GENERIC kernels as they are shipped with the distro here where firewall_enable=NO has and always had the effect everybody around expects. So the variable might be renamed to "firewall_load_ruleset" (of course with a HEADS UP) and could get a third setting of DISABLE_IPFW next to the YES and NO which remain in their "load the ruleset" and "don't load a ruleset" meaning. Until then the comment next to the firewall_enable variable should make clear that not the whole filter is enabled / disabled but a ruleset might get loaded or not depending on the switch. That's why I started PR conf/34355 where those with the tristate patch might want to follow up. Maybe the rc.conf manpage should explicitely state that nothing happens in the NO case (but then it should for *any* _enable variable ...) -- this is missing in the PR. I still consider the current situation an education/documentation issue, not wrong behaviour. And I don't consider the _enable variable for the firewall any different from the other _enable variables. None of them does any disabling for me while all of them allow me to not enable/activate a certain aspect (with the option for me to do these things not at all or in a different way or in a different location). And since none of these variables have the word "disable" in them I don't expect any of them to disable something for me. They just allow me to start things in a regular, suggested location. There's still a difference between not acting and actively preventing something (strictly speaking disabling something is an action -- and in the case we discuss here there are already means for this like sysctl.conf and firewall_type). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message