Date: Fri, 25 Jan 2002 21:02:54 -0500 From: Bob K <melange@yip.org> To: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020125210254.B454@yip.org> In-Reply-To: <20020125173525.O55184-100000@rockstar.stealthgeeks.net>; from patrick@stealthgeeks.net on Fri, Jan 25, 2002 at 05:40:04PM -0800 References: <20020125203328.A454@yip.org> <20020125173525.O55184-100000@rockstar.stealthgeeks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 25, 2002 at 05:40:04PM -0800, Patrick Greenwell wrote: > > > The problem is that you're not taking into account the installed base of > > users who twiddle this knob. How many angry firewall admins will come > > into being when the behaviour suddenly stops being, "don't load any > > firewall rules" and starts being, "disable the firewall"? > > I could be mistaken, but it would seem to me that the number of > individuals that really want to deny all traffic to and from their > machine(which is the current result of setting firewall_enable to no) > is relatively small. If the variable name gets changed to, say, LOAD_FIREWALL_RULES, with the rc scripts spitting out a warning (and otherwise behaving as expected) if ENABLE_FIREWALL is encountered, then the number of people that gets surprised by the change would be zero. That number would be higher than zero if the variable behaviour is changed. As for people that want to deny all traffic, I can think of at least one case where this might be desired: People who only want connectivity enabled after a PPP or SL/IP or some scripted link with user intervention comes up. -- Bob <melange@yip.org> | Please don't feed the sock puppet. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125210254.B454>