Date: Fri, 25 Jan 2002 09:54:21 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: arch@FreeBSD.ORG Subject: Re: Changing rc.conf(5) firewall_enable Message-ID: <20020125095421.B57703@sunbay.com> In-Reply-To: <20020124222225.O87663@blossom.cjclark.org> References: <20020124222225.O87663@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 24, 2002 at 10:22:25PM -0800, Crist J. Clark wrote: > Patrick Greenwell <patrick@stealthgeeks.net> brought up a good point > on -stable. The rc.conf(5) knob, firewall_enable, does not exactly > behave in the manner the novice (or not-so-novice) might expect. When > it is set to "YES," the ipfw.ko module is loaded if firewalling is not > built into the kernel, and the firewall configuration scripts are run. > However, if 'firewall_enable="NO",' it does not disable the > firewall. > > I do not see any reason why 'firewall_enable="NO"' should not actually > disable firewalling built into the kernel by setting, > > sysctl net.inet.ip.fw.enable=0 > > This seems to make more sense given the name, firewall_enable, and it > also seems more useful. > > IMHO, this should be the behavior in -CURRENT for sure. In -STABLE, I > think it would be OK too. A machine with firewalling built into the > kernel and firewall_enable not "YES" is almost useless (if it is > not built with IPFIREWALL_DEFAULT_TO_ACCEPT). I don't think there are > an machines out there running with firewalling built into the kernel > with 'firewall_enable="NO"' who will have their security affected by > such a change. > > Other opinions? Pro? Con? > Please count me in for this change. <PS> Seems you've managed to get rid of that extra space. :-) </PS> Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125095421.B57703>