Date: Fri, 25 Jan 2002 20:05:37 -0600 From: "Mike Meyer" <mwm-dated-1012442737.170460@mired.org> To: Patrick Greenwell <patrick@stealthgeeks.net> Cc: Bob K <melange@yip.org>, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <15442.3825.38443.26350@guru.mired.org> In-Reply-To: <20020125173525.O55184-100000@rockstar.stealthgeeks.net> References: <20020125203328.A454@yip.org> <20020125173525.O55184-100000@rockstar.stealthgeeks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Patrick Greenwell <patrick@stealthgeeks.net> types: > On Fri, 25 Jan 2002, Bob K wrote: > > The problem is that you're not taking into account the installed base of > > users who twiddle this knob. How many angry firewall admins will come > > into being when the behaviour suddenly stops being, "don't load any > > firewall rules" and starts being, "disable the firewall"? > I could be mistaken, but it would seem to me that the number of > individuals that really want to deny all traffic to and from their > machine(which is the current result of setting firewall_enable to no) > is relatively small. Actually, that's the base you want to start with when building a firewall. You then go on to allow in traffic that you want to pass through. This is really a security issue. If you're tweaking the firewall for a machine, what do you want to happen if you screw so badly the rules aren't loaded: 1) nobody can get to the machine, or 2) the machine is wide open to the world. #1 is clearly the more secure behavior, and thus makes sense as the default. Yes, it means that in the case where you've built a custom kernel with a firewall and not set up any firewall rules, the rc.conf firewall_enable variable is a bit odd; after all, you've enabled the firewall already. If you want it to behave the other way when you build a custom kernel, you can. Personally, I think the current behavior of making things more secure is the better default. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15442.3825.38443.26350>