From owner-freebsd-stable Fri Jan 25 17: 6: 4 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rockstar.stealthgeeks.net (h-66-134-120-173.LSANCA54.covad.net [66.134.120.173]) by hub.freebsd.org (Postfix) with SMTP id B07D737B400 for ; Fri, 25 Jan 2002 17:05:54 -0800 (PST) Received: (qmail 54858 invoked by uid 1001); 26 Jan 2002 01:05:48 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Jan 2002 01:05:48 -0000 Date: Fri, 25 Jan 2002 17:05:48 -0800 (PST) From: Patrick Greenwell To: "Thomas T. Veldhouse" Cc: cjclark@alum.mit.edu, Subject: Re: Firewall config non-intuitiveness In-Reply-To: <000c01c1a5ff$a4539870$0101a8c0@cascade> Message-ID: <20020125165307.C54729-100000@rockstar.stealthgeeks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 25 Jan 2002, Thomas T. Veldhouse wrote: > > > It only works the way > > > complained about when you build your own custom kernel with IPFIREWALL > and > > > not with IPFIREWALL_DEFAULT_TO_ACCEPT. At that point, I think the admin > > > needs to educate one self. I prefer to leave it as is, as it errs on > the > > > side of safety. > > > > I am not sure that making the system pretty much unusable really errs > > on the side of safety. I guess brick, cut off from the world, is > > pretty secure. We always need to balance security versus other > > factors and usability is one of the big ones. > > No -- it implies that you should know what you are doing if you are going to > be building and installing new kernels and working on you firewall remotely. > There is NOTHING stopping you from getting onto the machine with a good old > fashioned keyboard. You know, I continue to be amazed at the attitude that says that things should be kept counter-intuitive and anyone who doesn't like it that way is ignorant. What possible benefit is there in perpetuating mislabeled behavior? To me, it's very simple: there's this "firewall_enable" option in rc.conf, and I think that reasonable people would infer that if you set it to "no" it meant that you didn't want a firewall enabled(based on the name of the variable), yet that is not what happens. All the documentation reading in the world isn't going to make me think it's a good idea to have "no" mean "yes" and I certainly don't think it's useful or helpful to cast aspersions on individuals who want "no" to actually mean "no." /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Stealthgeeks,LLC. Operations Consulting http://www.stealthgeeks.net \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message