Date: Sat, 26 Jan 2002 13:49:37 +0000 From: Ian Dowse <iedowse@maths.tcd.ie> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: "Thomas T. Veldhouse" <veldy@veldy.net>, Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <200201261349.aa24682@salmon.maths.tcd.ie> In-Reply-To: Your message of "Fri, 25 Jan 2002 19:05:52 PST." <20020125190552.E14394@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20020125190552.E14394@blossom.cjclark.org>, "Crist J. Clark" writes : >But the current behavior of the two is inconsistent if >'firewall_enable="NO".' If you have a staticly compiled firewall, you >have a brick. If you don't you have a wide-open machine. The change >would make it wide open in both cases. That is, when you do not have >firewall_enable enabling firewalling, you don't have a firewall. (period) We have numerous machines with firewall_enable="NO" (because we don't want the rc scripts to touch the firewall config) and both `options IPFIREWALL' and `options IPFIREWALL_DEFAULT_TO_ACCEPT' in the kernel config. A trivial firewall/dummynet configuration is set up in rc.local. In general, xxx="NO" in rc.conf means "dont start xxx", it doesn't mean "don't start xxx, and if there is one running, kill it", i.e. ="NO" is an instruction to the rc scripts to do nothing (I'm sure there are a few exceptions). I think the existing firewall_enable behaviour is consistent with this, but a new "DISABLE" option could be added without any problems. Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi? <200201261349.aa24682>