Date: Sun, 27 Jan 2002 19:19:46 -0000 From: Matthew Whelan <muttley@gotadsl.co.uk> To: freebsd-stable@freebsd.org Subject: Re: Firewall config non-intuitiveness Message-ID: <3Z42NMCLH4XXSEATPZWZY2L8383GF.3c5452d2@VicNBob> In-Reply-To: <200201271757.g0RHvTF12944@midway.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
27/01/2002 17:57:32, David Syphers <dsyphers@uchicago.edu> wrote: >On Sunday 27 January 2002 11:27 am, M. Warner Losh wrote: >> Right now what I have works. You are changing the semantics of a >> security related feature of the system in such a way that after this >> change what I have will not work. I agree that your work around will >> allow me to easily correct things. However, if I fail to do so, I >> open my firewall up completely. To me, that's an unacceptible change >> in the API. I'm kinda with Warner on this one :) There's also the question of the gap between initial install and constructing the firewall rules... admittedly there's no good reason to have the box plugged in at this point but people may forget to take it out after nfs/ftp installing. >As others have pointed out this behavior is >documented, but we must remember that a variable name itself is the most >important and immediate documentation. And having a firewall load when >firewall_enable is NO is complete nonsense. Well, this is a good point. The point it raises is that the variable name is wrong. In the case of compiled-in firewall, the behaviour is 'apply_firewall_rules' not 'firewall_enable'. The proposed change would make 'firewall_enable=NO' behave not like it reads but as 'firewall_disable=YES'. Compiling the firewall into your kernel and then having rc remove it *would be* a complete nonsense. Matthew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3Z42NMCLH4XXSEATPZWZY2L8383GF.3c5452d2>