From owner-freebsd-stable Sun Jan 27 5:58:36 2002 Delivered-To: freebsd-stable@freebsd.org Received: from sage-american.com (sage-american.com [216.122.141.44]) by hub.freebsd.org (Postfix) with ESMTP id 5589F37B400; Sun, 27 Jan 2002 05:58:30 -0800 (PST) Received: from SAGEONE (adsl-64-219-20-214.dsl.crchtx.swbell.net [64.219.20.214]) by sage-american.com (8.9.3/8.9.3) with SMTP id HAA00240; Sun, 27 Jan 2002 07:58:18 -0600 (CST) Message-Id: <3.0.5.32.20020127075816.01831ca0@mail.sage-american.com> X-Sender: jacks@mail.sage-american.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sun, 27 Jan 2002 07:58:16 -0600 To: "M. Warner Losh" , cjc@FreeBSD.ORG From: jacks@sage-american.com Subject: Re: Firewall config non-intuitiveness Cc: nate@yogotech.com, stable@FreeBSD.ORG In-Reply-To: <20020127.052626.107682843.imp@village.org> References: <20020127014848.F23259@blossom.cjclark.org> <15443.44156.595426.139371@caddis.yogotech.com> <20020127.004656.53474822.imp@village.org> <20020127014848.F23259@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What would be wrong with booting without loading a FW script and then loading the rules after the boot is finished...??? At 05:26 AM 1.27.2002 -0700, M. Warner Losh wrote: >In message: <20020127014848.F23259@blossom.cjclark.org> > "Crist J. Clark" writes: >: Warner, if the proposed change were to be made, you could get the same >: effect by doing, >: >: firewall_enable="YES" >: firewall_script="/dev/null" >: >: Which I think more accurately describes the behavior you want (if >: someone were to browse the rc.conf and try to understand your >: configuration, they'd be more likely to understand what you are trying >: to do if they saw the above). You want to enable firewalling, but >: don't want to load any rules. > >But I don't want it to fail unsafely. That's the part that I still do >not like about the change and why I'm making a big deal out of it. >This is a security feature that you are proposing that we depart from >our long standing tradition and make fail unsafely. > >rc scipts shouldn't take things out of the kernel that people have >specifically compiled into the kernel. > >Warner > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-stable" in the body of the message > > Best regards, Jack L. Stone, Server Admin =================================================== Sage-American http://www.sage-american.com jacks@sage-american.com "My center is giving way, my right is in retreat; ....situation excellent! ....I shall attack!" =================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message