From owner-freebsd-stable  Sat Mar 25 20: 8:51 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from polaris.shore.net (polaris.shore.net [207.244.124.105])
	by hub.freebsd.org (Postfix) with ESMTP id 8055537B83A
	for <freebsd-stable@freebsd.org>; Sat, 25 Mar 2000 20:08:45 -0800 (PST)
	(envelope-from tjlegg@shore.net)
Received: from eskimos.the-eleven.com [207.244.92.51] 
	by polaris.shore.net with esmtp (Exim)
	id 12Z4Ly-0002N2-00; Sat, 25 Mar 2000 23:08:42 -0500
Mime-Version: 1.0
X-Sender: tjlegg@shell2.shore.net
Message-Id: <p04310101b5033a42d23f@[207.244.92.51]>
In-Reply-To: <38DD87C8.8D8FC976@gorean.org>
References: <p04310101b5032cb2a0b9@[207.244.92.51]>
 <38DD87C8.8D8FC976@gorean.org>
Date: Sat, 25 Mar 2000 23:08:29 -0500
To: Doug Barton <Doug@gorean.org>
From: Tom Legg <tjlegg@shore.net>
Subject: Re: Minor rc.network bug for 4.0 and ipfw
Cc: freebsd-stable@freebsd.org
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 7:45 PM -0800 3/25/2000, Doug Barton wrote:
>Tom Legg wrote:
>
>>  The current situation creates a potential problem for 4.0 admins (at
>>  least I didn't notice it until I upgraded to the 4.0 kernel)
>
>	This situation hasn't changed. It's always been this way.
>
>>  If you compile a kernel with ipfw in the kernel but do nothing to
>>  modify /etc/defaults/rc.conf and boot, net.inet.ip.fw.enable is set
>>  to 1 and since the defaults for enable is NO, no further action is
>>  done upon the firewall scripts.
>
>	The theory is that a sysadmin who is enabling these options will have
>read the documentation and done what he can to properly prepare. For
>those who are concerned about foot shooting, the "default to accept"
>kernel option is available.
>
>	If you're really needing a secure firewall, it's more important that it
>is secure from boot, with or without the ability to read the rc scripts.
>If you don't need that level of security, other options are available to
>you.

No problems here really. But it does seem to be really silly then to 
have a default rc.conf firewall_enable flag set to "NO"  when the 
kernel flag default when compiled in is set to "YES".

In fact the current situation renders the rc.conf flag for 
firewall_enable mute. You might as well eliminate the flag and have 
/etc/rc.network check whether net.inet.ip.fw.enable=1 and go from 
there.

-- 
-----
Tom Legg
tjlegg@shore.net
http://www.shore.net/~tjlegg/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message