Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 26 Jan 2002 04:06:29 +0100
From:      Cliff Sarginson <cliff@raggedclown.net>
To:        stable@FreeBSD.ORG
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020126030629.GA1290@raggedclown.net>
In-Reply-To: <20020125181141.N55633-100000@rockstar.stealthgeeks.net>
References:  <20020125210254.B454@yip.org> <20020125181141.N55633-100000@rockstar.stealthgeeks.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 25, 2002 at 06:17:52PM -0800, Patrick Greenwell wrote:
> On Fri, 25 Jan 2002, Bob K wrote:
> 
> > > I could be mistaken, but it would seem to me that the number of
> > > individuals that really want to deny all traffic to and from their
> > > machine(which is the current result of setting firewall_enable to no)
> > > is relatively small.
> >
> > If the variable name gets changed to, say, LOAD_FIREWALL_RULES, with the
> > rc scripts spitting out a warning (and otherwise behaving as expected)
> > if ENABLE_FIREWALL is encountered, then the number of people that gets
> > surprised by the change would be zero.  That number would be higher
> > than zero if the variable behaviour is changed.
> 
> The variable behavior is non-sensical. Do you continue doing things that
> don't make sense simply due to inertia? (I feel a PHB story coming on...)
> 
> Further, doesn't the act of adding variables "suprise" people?
> 
> > As for people that want to deny all traffic, I can think of at least one
> > case where this might be desired:  People who only want connectivity
> > enabled after a PPP or SL/IP or some scripted link with user
> > intervention comes up.
>
Most of these people are not going to be online to anything until that
happens anyway !
 
> It is always easy to find edge cases which is why I try to avoid speaking
> in absolutes. In any case, do you believe that there are thousands of
> people out there running systems in the particular fashion you describe
> above?
> 
I think Mr Greenwall is correct.
The "erring" on the side of safety is not really an argument, since
if you are at the point of disabling the firewall you are presumably
informed enough to know of the consequences. It is erring on the side
of "Nanny knows best".
Of course building a firewall set is best started from deny all onwards.
But that is not the question here.
If I say don't load firewall, or unload firewall, I would expect the
result to be an un-firewalled system.
The current behaviour is counter-intuitive.
As for the surprise it may give firewall administrators, I expect they
have already been suprised in the past when they have forgotten
what happens if you happen to be miles away from the console and do
this...

This is both an argument about the phasing of a question (which is
clearly in need of re-phrasing even if the current status-quo is
maintained); and an argument about what should happen in these
scenarios. I also happen to believe the status-quo is in need of change.

-- 
Regards
Cliff



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020126030629.GA1290>