From owner-freebsd-stable  Sat Jan 26  8:28:56 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from rover.village.org (rover.bsdimp.com [204.144.255.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id AED0437B402; Sat, 26 Jan 2002 08:28:52 -0800 (PST)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.11.3/8.11.3) with ESMTP id g0QGSpo07910;
	Sat, 26 Jan 2002 09:28:51 -0700 (MST)
	(envelope-from imp@village.org)
Received: from localhost (warner@rover2.village.org [10.0.0.1])
	by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0QGSnx75758;
	Sat, 26 Jan 2002 09:28:49 -0700 (MST)
	(envelope-from imp@village.org)
Date: Sat, 26 Jan 2002 09:28:03 -0700 (MST)
Message-Id: <20020126.092803.25710806.imp@village.org>
To: iedowse@maths.tcd.ie
Cc: cjc@FreeBSD.ORG, veldy@veldy.net, patrick@stealthgeeks.net,
	stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness 
From: "M. Warner Losh" <imp@village.org>
In-Reply-To: <200201261349.aa24682@salmon.maths.tcd.ie>
References: <20020125190552.E14394@blossom.cjclark.org>
	<200201261349.aa24682@salmon.maths.tcd.ie>
X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

In message: <200201261349.aa24682@salmon.maths.tcd.ie>
            Ian Dowse <iedowse@maths.tcd.ie> writes:
: In general, xxx="NO" in rc.conf means "dont start xxx", it doesn't
: mean "don't start xxx, and if there is one running, kill it", i.e.
: ="NO" is an instruction to the rc scripts to do nothing (I'm sure
: there are a few exceptions). I think the existing firewall_enable
: behaviour is consistent with this, but a new "DISABLE" option could
: be added without any problems.

I agree.  The last thing we should be doing is autotmatically
disabling a security feature by some rc setting.  We do similar things
with our firewall stuff on a couple of our machines because we need to
do some custom things before turning it on that don't fit the current
rc paradigm.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message