From owner-freebsd-stable  Fri Jan 25 18:11:37 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from rockstar.stealthgeeks.net (h-66-134-120-173.LSANCA54.covad.net [66.134.120.173])
	by hub.freebsd.org (Postfix) with SMTP id 15BF437B400
	for <stable@FreeBSD.ORG>; Fri, 25 Jan 2002 18:11:34 -0800 (PST)
Received: (qmail 55628 invoked by uid 1001); 26 Jan 2002 02:11:33 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 26 Jan 2002 02:11:33 -0000
Date: Fri, 25 Jan 2002 18:11:33 -0800 (PST)
From: Patrick Greenwell <patrick@stealthgeeks.net>
To: Mike Meyer <mwm-dated-1012442737.170460@mired.org>
Cc: Bob K <melange@yip.org>, <stable@FreeBSD.ORG>
Subject: Re: Firewall config non-intuitiveness
In-Reply-To: <15442.3825.38443.26350@guru.mired.org>
Message-ID: <20020125180928.K55603-100000@rockstar.stealthgeeks.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Fri, 25 Jan 2002, Mike Meyer wrote:

> Patrick Greenwell <patrick@stealthgeeks.net> types:
> > On Fri, 25 Jan 2002, Bob K wrote:
> > > The problem is that you're not taking into account the installed base of
> > > users who twiddle this knob.  How many angry firewall admins will come
> > > into being when the behaviour suddenly stops being, "don't load any
> > > firewall rules" and starts being, "disable the firewall"?
> > I could be mistaken, but it would seem to me that the number of
> > individuals that really want to deny all traffic to and from their
> > machine(which is the current result of setting firewall_enable to no)
> > is relatively small.
>
> Actually, that's the base you want to start with when building a
> firewall. You then go on to allow in traffic that you want to pass
> through.

That's right, but it that case you wouldn't be setting firewall_enable to
"no" since you *want* a firewall.


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
                     Stealthgeeks,LLC. Operations Consulting
                          http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message