Date: Fri, 25 Jan 2002 09:21:54 +0000 From: Nik Clayton <nik@freebsd.org> To: Patrick Greenwell <patrick@stealthgeeks.net> Cc: stable@freebsd.org Subject: Re: Firewall config non-intuitiveness Message-ID: <20020125092154.U53456@clan.nothing-going-on.org> In-Reply-To: <20020124201411.A39351-100000@rockstar.stealthgeeks.net>; from patrick@stealthgeeks.net on Thu, Jan 24, 2002 at 08:21:50PM -0800 References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote: > I recently got bit by this: I have firewall options configured into my > kernel, and made the mistake of thinking that in order to disable > this functionality to allow all traffic that I merely needed to remove the > firewall_enable paramater from my rc.conf since firewall_enable is set to NO in > /etc/defaults/rc.conf. > > This did not have the intended result of disabling the firewall, rather a > default deny was applied. If firewall_enable is set to NO, wouldn't it make > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I > missing something? > > Opinions welcome. I've got a hunch this needs to be a tri-state variable. YES -- Load the firewall rules NO -- Do nothing, default policy is compiled in to the kernel OFF -- Explicitly set net.inet.ip.fw.enable=0 or similar. N -- FreeBSD: The Power to Serve http://www.freebsd.org/ (__) FreeBSD Documentation Project http://www.freebsd.org/docproj/ \\\'',) \/ \ ^ --- 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- .\._/_) [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxRI7EACgkQk6gHZCw343XZ7gCghCxcHt3+HkhXOI2UyKhgXm7+ IFEAnA06hbRxvgsu4T/i3L3ejI431B7y =U9AP -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125092154.U53456>