From owner-freebsd-stable Wed Jan 30 20:54:59 2002 Delivered-To: freebsd-stable@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 35BA637B400 for ; Wed, 30 Jan 2002 20:54:55 -0800 (PST) Received: by gw.nectar.cc (Postfix, from userid 1001) id 83FB334; Wed, 30 Jan 2002 22:54:54 -0600 (CST) Date: Wed, 30 Jan 2002 22:54:54 -0600 From: "Jacques A. Vidrine" To: Garance A Drosihn Cc: Matthew Dillon , freebsd-stable@FreeBSD.ORG Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <20020130225454.A48040@hellblazer.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Garance A Drosihn , Matthew Dillon , freebsd-stable@FreeBSD.ORG References: <200201310042.g0V0g3255325@apollo.backplane.com> <20020130202356.A47852@hellblazer.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from drosih@rpi.edu on Wed, Jan 30, 2002 at 11:21:49PM -0500 X-Url: http://www.nectar.cc/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jan 30, 2002 at 11:21:49PM -0500, Garance A Drosihn wrote: > I suggest that the main difference of opinion is what the phrase > "firewall is disabled" brings to mind (in different minds). No, it's a difference of opinion about what the phrase `firewall_enable=NO' or `firewall not enabled' brings to mind. But whatever, the horse is dead. People all over the globe are currently wrangling over a better naming scheme for rc.conf knobs, and putting together patches for review. If any of these efforts produce something considerably better than what we have now, they will be committed. But probably not to -STABLE. > I think we could have two settings, right next to each other, in > /etc/defaults/rc.conf: > firewall_enable=NO # NO means 'no packets are blocked' > firewall_rules_enable=YES # NO means that if the firewall is up, > # then all packets will be blocked, > # ignoring any 'rules' you have defined. > > If anyone sees that change go by in mergemaster, and they do depend > on the present behavior, and those comments (or something better > than those) do not ring an alarm in their heads, then I would be > either surprised or disturbed. > > Maybe even this is too drastic a change for -stable, although I'd > it would work. No, it won't work. Joe Experienced will configure a new system based on FreeBSD 4.N, and configure `firewall_enable=NO' as he has always done in the past. But WHAM the behavior of this new system is drastically different from any previous FreeBSD release that had a firewall_enable knob. He has no firewall at all, rather than a firewall which he configured by whatever mechanism. Worse, instead of this failure leaving him with all services blocked (no doubt something he's encountered before on accident), it leaves his system completely open. In general, it is a bad idea to change the semantics of a system setting. Notice that when it was determined that we needed a setting for outbound-only sendmail, that we didn't change the semantics of `sendmail_enable'. > I wouldn't push for this, but I have to believe > there are few people who are running *-production-* systems where > they depend on the present behavior of 'firewall_enable=NO', I don't think it is so uncommon as to be unimportant. > and > that the present behavior *will* cause trouble for -stable users > who want to "turn off the firewall just to test something". The present behavior has served us pretty well for the last few years. This is hardly an emergency. This can be `fixed' in -CURRENT. Introducing new knobs while leaving the old knobs in for backwards compatibility might be a reasonable comprimise. > Apologies if this is just a repeat of an earlier idea. Apology accepted :-) I'd set the follow-up to freebsd-current, but there is so little context here regarding the real issue that it would not be useful. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message