From owner-freebsd-stable Fri Jan 25 19: 6:38 2002 Delivered-To: freebsd-stable@freebsd.org Received: from post.mail.nl.demon.net (post-11.mail.nl.demon.net [194.159.73.21]) by hub.freebsd.org (Postfix) with ESMTP id 0A80737B404 for ; Fri, 25 Jan 2002 19:06:32 -0800 (PST) Received: from [212.238.194.207] (helo=tanya.raggedclown.net) by post.mail.nl.demon.net with esmtp (Exim 3.33 #1) id 16UJAk-0007nP-00 for stable@FreeBSD.ORG; Sat, 26 Jan 2002 03:06:30 +0000 Received: by tanya.raggedclown.net (tanya.raggedclown.intra, from userid 500) id 9AE54452B8; Sat, 26 Jan 2002 04:06:29 +0100 (CET) Date: Sat, 26 Jan 2002 04:06:29 +0100 From: Cliff Sarginson To: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020126030629.GA1290@raggedclown.net> References: <20020125210254.B454@yip.org> <20020125181141.N55633-100000@rockstar.stealthgeeks.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020125181141.N55633-100000@rockstar.stealthgeeks.net> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jan 25, 2002 at 06:17:52PM -0800, Patrick Greenwell wrote: > On Fri, 25 Jan 2002, Bob K wrote: > > > > I could be mistaken, but it would seem to me that the number of > > > individuals that really want to deny all traffic to and from their > > > machine(which is the current result of setting firewall_enable to no) > > > is relatively small. > > > > If the variable name gets changed to, say, LOAD_FIREWALL_RULES, with the > > rc scripts spitting out a warning (and otherwise behaving as expected) > > if ENABLE_FIREWALL is encountered, then the number of people that gets > > surprised by the change would be zero. That number would be higher > > than zero if the variable behaviour is changed. > > The variable behavior is non-sensical. Do you continue doing things that > don't make sense simply due to inertia? (I feel a PHB story coming on...) > > Further, doesn't the act of adding variables "suprise" people? > > > As for people that want to deny all traffic, I can think of at least one > > case where this might be desired: People who only want connectivity > > enabled after a PPP or SL/IP or some scripted link with user > > intervention comes up. > Most of these people are not going to be online to anything until that happens anyway ! > It is always easy to find edge cases which is why I try to avoid speaking > in absolutes. In any case, do you believe that there are thousands of > people out there running systems in the particular fashion you describe > above? > I think Mr Greenwall is correct. The "erring" on the side of safety is not really an argument, since if you are at the point of disabling the firewall you are presumably informed enough to know of the consequences. It is erring on the side of "Nanny knows best". Of course building a firewall set is best started from deny all onwards. But that is not the question here. If I say don't load firewall, or unload firewall, I would expect the result to be an un-firewalled system. The current behaviour is counter-intuitive. As for the surprise it may give firewall administrators, I expect they have already been suprised in the past when they have forgotten what happens if you happen to be miles away from the console and do this... This is both an argument about the phasing of a question (which is clearly in need of re-phrasing even if the current status-quo is maintained); and an argument about what should happen in these scenarios. I also happen to believe the status-quo is in need of change. -- Regards Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message