From owner-freebsd-stable  Tue Jan 29 15:16:23 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mailhost.firstcallgroup.co.uk (dilbert.firstcallgroup.co.uk [194.203.69.166])
	by hub.freebsd.org (Postfix) with ESMTP id 50BB137B416
	for <freebsd-stable@freebsd.org>; Tue, 29 Jan 2002 15:16:14 -0800 (PST)
Received: from pfrench by mailhost.firstcallgroup.co.uk with local (Exim 3.33 #1)
	id 16VhU0-000BJ1-00
	for freebsd-stable@FreeBSD.ORG; Tue, 29 Jan 2002 23:16:08 +0000
To: freebsd-stable@FreeBSD.ORG
Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read]
In-Reply-To: <200201292106.g0TL6T748013@apollo.backplane.com>
Message-Id: <E16VhU0-000BJ1-00@mailhost.firstcallgroup.co.uk>
From: Pete French <pfrench@firstcallgroup.co.uk>
Date: Tue, 29 Jan 2002 23:16:08 +0000
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

>     I've been hit by this piece of nonsense before as well.  I would like
>     to see the rules fixed so it doesn't matter what you compile into the
>     kernel -- if your firewall_enable is NO, then it should be as if you
>     don't have a file.

Dont you mean "as if you didnt have a firewall" ? If this was a physical
piece of firewall hardware we were talking about there would be no argument,
because its obvious that if you turn the thing off it wont pass packets. But
here the distinction isnt clear as to wheher the firewall exiists and is being
turned off, or if its being made to vanish as if it hadnt been compiled in.

You need to specify 2 things:

1) Does a firewall exist
2) If so is it on or off ?

You just cant do it with one variable and please everyone, and lets not
get into he tri-state horribleness. How about:

firewall_exists = YES/NO
firewall_enable = YES/NO

With the value of the 2nd variable having no effect if the value of the first
is NO. To my mind thats clear enough, and also backward compatible. Setting
the first variable to NO always acts as if there was no firewall in the krenel,
setting it to yet always puts one in the kernel.

Any good?

-pcf.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message