Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Jan 2002 22:54:54 -0600
From:      "Jacques A. Vidrine" <n@nectar.cc>
To:        Garance A Drosihn <drosih@rpi.edu>
Cc:        Matthew Dillon <dillon@apollo.backplane.com>, freebsd-stable@FreeBSD.ORG
Subject:   Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read]
Message-ID:  <20020130225454.A48040@hellblazer.nectar.cc>
In-Reply-To: <p05101226b87e6b0f9966@[128.113.24.47]>; from drosih@rpi.edu on Wed, Jan 30, 2002 at 11:21:49PM -0500
References:  <JI75GAYSTRA5PJZYUKGON75TOB88.3c586114@VicNBob> <200201310042.g0V0g3255325@apollo.backplane.com> <20020130202356.A47852@hellblazer.nectar.cc> <p05101226b87e6b0f9966@[128.113.24.47]>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 30, 2002 at 11:21:49PM -0500, Garance A Drosihn wrote:
> I suggest that the main difference of opinion is what the phrase
> "firewall is disabled" brings to mind (in different minds).  

No, it's a difference of opinion about what the phrase
`firewall_enable=NO' or `firewall not enabled' brings to mind.  But
whatever, the horse is dead.  People all over the globe are currently
wrangling over a better naming scheme for rc.conf knobs, and putting
together patches for review.  If any of these efforts produce something
considerably better than what we have now, they will be committed.

But probably not to -STABLE.

> I think we could have two settings, right next to each other, in
> /etc/defaults/rc.conf:
> firewall_enable=NO		# NO means 'no packets are blocked'
> firewall_rules_enable=YES	# NO means that if the firewall is up,
>                                  # then all packets will be blocked,
> 				# ignoring any 'rules' you have defined.
> 
> If anyone sees that change go by in mergemaster, and they do depend
> on the present behavior, and those comments (or something better
> than those) do not ring an alarm in their heads, then I would be
> either surprised or disturbed.
> 
> Maybe even this is too drastic a change for -stable, although I'd
> it would work.  

No, it won't work.  Joe Experienced will configure a new system
based on FreeBSD 4.N, and configure `firewall_enable=NO' as he has
always done in the past.  But WHAM the behavior of this new system
is drastically different from any previous FreeBSD release that had
a firewall_enable knob.  He has no firewall at all, rather than a
firewall which he configured by whatever mechanism.  Worse, instead of
this failure leaving him with all services blocked (no doubt something
he's encountered before on accident), it leaves his system completely
open.

In general, it is a bad idea to change the semantics of a system
setting.  Notice that when it was determined that we needed a setting
for outbound-only sendmail, that we didn't change the semantics of
`sendmail_enable'.

> I wouldn't push for this, but I have to believe
> there are few people who are running *-production-* systems where
> they depend on the present behavior of 'firewall_enable=NO', 

I don't think it is so uncommon as to be unimportant.

> and
> that the present behavior *will* cause trouble for -stable users
> who want to "turn off the firewall just to test something".

The present behavior has served us pretty well for the last few years.
This is hardly an emergency.  This can be `fixed' in -CURRENT.

Introducing new knobs while leaving the old knobs in for backwards
compatibility might be a reasonable comprimise.

> Apologies if this is just a repeat of an earlier idea.

Apology accepted :-)

I'd set the follow-up to freebsd-current, but there is so little context
here regarding the real issue that it would not be useful.
-- 
Jacques A. Vidrine <n@nectar.cc>                     http://www.nectar.cc/
NTT/Verio SME           .      FreeBSD UNIX      .        Heimdal Kerberos
jvidrine@verio.net      .   nectar@FreeBSD.org   .           nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020130225454.A48040>