From owner-freebsd-arch  Thu Jan 24 22:23: 8 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84])
	by hub.freebsd.org (Postfix) with ESMTP id 1F8E237B402
	for <arch@freebsd.org>; Thu, 24 Jan 2002 22:23:06 -0800 (PST)
Received: from dialup-209.245.139.214.dial1.sanjose1.level3.net ([209.245.139.214] helo=blossom.cjclark.org)
	by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16TzlJ-0001qf-00
	for arch@freebsd.org; Thu, 24 Jan 2002 22:23:01 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id g0P6MTB94008
	for arch@freebsd.org; Thu, 24 Jan 2002 22:22:29 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 24 Jan 2002 22:22:25 -0800
From: "Crist J. Clark" <cjc@freebsd.org>
To: arch@freebsd.org
Subject: Changing rc.conf(5) firewall_enable
Message-ID: <20020124222225.O87663@blossom.cjclark.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Patrick Greenwell <patrick@stealthgeeks.net> brought up a good point
on -stable. The rc.conf(5) knob, firewall_enable, does not exactly
behave in the manner the novice (or not-so-novice) might expect. When
it is set to "YES," the ipfw.ko module is loaded if firewalling is not
built into the kernel, and the firewall configuration scripts are run.
However, if 'firewall_enable="NO",' it does not disable the
firewall.

I do not see any reason why 'firewall_enable="NO"' should not actually
disable firewalling built into the kernel by setting,

  sysctl net.inet.ip.fw.enable=0

This seems to make more sense given the name, firewall_enable, and it
also seems more useful.

IMHO, this should be the behavior in -CURRENT for sure. In -STABLE, I
think it would be OK too. A machine with firewalling built into the
kernel and firewall_enable not "YES" is almost useless (if it is
not built with IPFIREWALL_DEFAULT_TO_ACCEPT). I don't think there are
an machines out there running with firewalling built into the kernel
with 'firewall_enable="NO"' who will have their security affected by
such a change.

Other opinions? Pro? Con?
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message