From owner-freebsd-stable  Fri Jan 25 18:17:58 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from rockstar.stealthgeeks.net (h-66-134-120-173.LSANCA54.covad.net [66.134.120.173])
	by hub.freebsd.org (Postfix) with SMTP id 4146B37B404
	for <stable@FreeBSD.ORG>; Fri, 25 Jan 2002 18:17:52 -0800 (PST)
Received: (qmail 55691 invoked by uid 1001); 26 Jan 2002 02:17:52 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 26 Jan 2002 02:17:52 -0000
Date: Fri, 25 Jan 2002 18:17:52 -0800 (PST)
From: Patrick Greenwell <patrick@stealthgeeks.net>
To: Bob K <melange@yip.org>
Cc: stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness
In-Reply-To: <20020125210254.B454@yip.org>
Message-ID: <20020125181141.N55633-100000@rockstar.stealthgeeks.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Fri, 25 Jan 2002, Bob K wrote:

> > I could be mistaken, but it would seem to me that the number of
> > individuals that really want to deny all traffic to and from their
> > machine(which is the current result of setting firewall_enable to no)
> > is relatively small.
>
> If the variable name gets changed to, say, LOAD_FIREWALL_RULES, with the
> rc scripts spitting out a warning (and otherwise behaving as expected)
> if ENABLE_FIREWALL is encountered, then the number of people that gets
> surprised by the change would be zero.  That number would be higher
> than zero if the variable behaviour is changed.

The variable behavior is non-sensical. Do you continue doing things that
don't make sense simply due to inertia? (I feel a PHB story coming on...)

Further, doesn't the act of adding variables "suprise" people?

> As for people that want to deny all traffic, I can think of at least one
> case where this might be desired:  People who only want connectivity
> enabled after a PPP or SL/IP or some scripted link with user
> intervention comes up.

It is always easy to find edge cases which is why I try to avoid speaking
in absolutes. In any case, do you believe that there are thousands of
people out there running systems in the particular fashion you describe
above?


/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
                     Stealthgeeks,LLC. Operations Consulting
                          http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message