From owner-freebsd-stable Fri Jan 25 18:17:58 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rockstar.stealthgeeks.net (h-66-134-120-173.LSANCA54.covad.net [66.134.120.173]) by hub.freebsd.org (Postfix) with SMTP id 4146B37B404 for ; Fri, 25 Jan 2002 18:17:52 -0800 (PST) Received: (qmail 55691 invoked by uid 1001); 26 Jan 2002 02:17:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Jan 2002 02:17:52 -0000 Date: Fri, 25 Jan 2002 18:17:52 -0800 (PST) From: Patrick Greenwell To: Bob K Cc: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness In-Reply-To: <20020125210254.B454@yip.org> Message-ID: <20020125181141.N55633-100000@rockstar.stealthgeeks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 25 Jan 2002, Bob K wrote: > > I could be mistaken, but it would seem to me that the number of > > individuals that really want to deny all traffic to and from their > > machine(which is the current result of setting firewall_enable to no) > > is relatively small. > > If the variable name gets changed to, say, LOAD_FIREWALL_RULES, with the > rc scripts spitting out a warning (and otherwise behaving as expected) > if ENABLE_FIREWALL is encountered, then the number of people that gets > surprised by the change would be zero. That number would be higher > than zero if the variable behaviour is changed. The variable behavior is non-sensical. Do you continue doing things that don't make sense simply due to inertia? (I feel a PHB story coming on...) Further, doesn't the act of adding variables "suprise" people? > As for people that want to deny all traffic, I can think of at least one > case where this might be desired: People who only want connectivity > enabled after a PPP or SL/IP or some scripted link with user > intervention comes up. It is always easy to find edge cases which is why I try to avoid speaking in absolutes. In any case, do you believe that there are thousands of people out there running systems in the particular fashion you describe above? /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Stealthgeeks,LLC. Operations Consulting http://www.stealthgeeks.net \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message