From owner-freebsd-stable Fri Jan 25 18: 5:45 2002 Delivered-To: freebsd-stable@freebsd.org Received: from guru.mired.org (dsl-64-192-6-133.telocity.com [64.192.6.133]) by hub.freebsd.org (Postfix) with SMTP id 669A837B402 for ; Fri, 25 Jan 2002 18:05:38 -0800 (PST) Received: (qmail 50676 invoked by uid 100); 26 Jan 2002 02:05:37 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15442.3825.38443.26350@guru.mired.org> Date: Fri, 25 Jan 2002 20:05:37 -0600 To: Patrick Greenwell Cc: Bob K , stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness In-Reply-To: <20020125173525.O55184-100000@rockstar.stealthgeeks.net> References: <20020125203328.A454@yip.org> <20020125173525.O55184-100000@rockstar.stealthgeeks.net> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ From: "Mike Meyer" X-Delivery-Agent: TMDA/0.44 (Python 2.2; freebsd-4.4-STABLE-i386) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Patrick Greenwell types: > On Fri, 25 Jan 2002, Bob K wrote: > > The problem is that you're not taking into account the installed base of > > users who twiddle this knob. How many angry firewall admins will come > > into being when the behaviour suddenly stops being, "don't load any > > firewall rules" and starts being, "disable the firewall"? > I could be mistaken, but it would seem to me that the number of > individuals that really want to deny all traffic to and from their > machine(which is the current result of setting firewall_enable to no) > is relatively small. Actually, that's the base you want to start with when building a firewall. You then go on to allow in traffic that you want to pass through. This is really a security issue. If you're tweaking the firewall for a machine, what do you want to happen if you screw so badly the rules aren't loaded: 1) nobody can get to the machine, or 2) the machine is wide open to the world. #1 is clearly the more secure behavior, and thus makes sense as the default. Yes, it means that in the case where you've built a custom kernel with a firewall and not set up any firewall rules, the rc.conf firewall_enable variable is a bit odd; after all, you've enabled the firewall already. If you want it to behave the other way when you build a custom kernel, you can. Personally, I think the current behavior of making things more secure is the better default. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message