Date: Wed, 30 Jan 2002 14:16:26 -0700 From: Nate Williams <nate@yogotech.com> To: Matthew Whelan <muttley@gotadsl.co.uk> Cc: Matthew Dillon <dillon@apollo.backplane.com>, "Thomas T. Veldhouse" <veldy@veldy.net>, andrew.cowan@hsd.com.au, "Nate Williams" <nate@yogotech.com>, "Freebsd-Stable" <freebsd-stable@FreeBSD.ORG> Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <15448.25258.559642.146789@caddis.yogotech.com> In-Reply-To: <JI75GAYSTRA5PJZYUKGON75TOB88.3c586114@VicNBob> References: <200201292106.g0TL6T748013@apollo.backplane.com> <JI75GAYSTRA5PJZYUKGON75TOB88.3c586114@VicNBob>
next in thread | previous in thread | raw e-mail | index | archive | help
> Nate dismisses the install stage (have compiled custom kernel but not yet > configured firewall rules) as a 'straw-man' but that's rubbish IMO. I still say it's complete rubbish. > Say your > gateway has an unfortunate accident and needs replacing with a new > machine. Then, you're down until the box is *completely* brought back up. That means you configure it *off-the-network* before replacing the old machine with the new one. (And, any sys-admin worth the salt will have a backup tape of the box ready to load on a new machine, so the box will have been loaded/configured before it's installed anyway.) > First up you'll compile a kernel with gateway and firewalling > enabled. No, first thing you do is install the basic FreeBSD installation on the box, then restore your backed up firewall onto the box, so it's ready to go *RIGHT AWAY*? What you don't do backups? Then you're going to have to configure the crap out of the box anyway, and who'se going to try and configure it with a locked-down firewall and no remote access? Again, this is a complete strawman. > You'll also need to pull your firewall rules off tape/the old disk/networked > backup/whatever. How you gonna access the network backup if you are completely locked down? If the firewall box is dead, how you gonna access the disk? If it's up, then you by god have the ability to create the new box *before* it's deployed, so the firewall being locked down is a moot point. However, I'm again going mute, because those folks who are arguing about this (aside from Warner's specific example) appear to not use the stuff much, or simply like the old way because it's the old way. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15448.25258.559642.146789>