From owner-freebsd-stable  Sat Jan 26  5:49:42 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP
	id E205937B402; Sat, 26 Jan 2002 05:49:38 -0800 (PST)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa24682@salmon>; 26 Jan 2002 13:49:38 +0000 (GMT)
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: "Thomas T. Veldhouse" <veldy@veldy.net>,
	Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness 
In-Reply-To: Your message of "Fri, 25 Jan 2002 19:05:52 PST."
             <20020125190552.E14394@blossom.cjclark.org> 
Date: Sat, 26 Jan 2002 13:49:37 +0000
From: Ian Dowse <iedowse@maths.tcd.ie>
Message-ID:  <200201261349.aa24682@salmon.maths.tcd.ie>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

In message <20020125190552.E14394@blossom.cjclark.org>, "Crist J. Clark" writes
:
>But the current behavior of the two is inconsistent if
>'firewall_enable="NO".' If you have a staticly compiled firewall, you
>have a brick. If you don't you have a wide-open machine. The change
>would make it wide open in both cases. That is, when you do not have
>firewall_enable enabling firewalling, you don't have a firewall. (period)

We have numerous machines with firewall_enable="NO" (because we
don't want the rc scripts to touch the firewall config) and both
`options IPFIREWALL' and `options IPFIREWALL_DEFAULT_TO_ACCEPT' in
the kernel config. A trivial firewall/dummynet configuration is
set up in rc.local.

In general, xxx="NO" in rc.conf means "dont start xxx", it doesn't
mean "don't start xxx, and if there is one running, kill it", i.e.
="NO" is an instruction to the rc scripts to do nothing (I'm sure
there are a few exceptions). I think the existing firewall_enable
behaviour is consistent with this, but a new "DISABLE" option could
be added without any problems.

Ian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message