Date: Fri, 1 Feb 2002 17:39:28 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: "Benjamin P. Grubin" <bgrubin@pobox.com> Cc: <freebsd-current@FreeBSD.ORG> Subject: RE: *_enable="YES" behavior is bogus Message-ID: <p05101417b880c67c06dc@[128.113.24.47]> In-Reply-To: <000d01c1ab6e$1e8f8900$080aa8c0@vinzclortho> References: <000d01c1ab6e$1e8f8900$080aa8c0@vinzclortho>
next in thread | previous in thread | raw e-mail | index | archive | help
At 5:16 PM -0500 2/1/02, Benjamin P. Grubin wrote: > > I understand the first "error" (where the machine ends up completely >> open) is not desirable. It is very very bad. However, I >> think we can write some code to help out that user. That >> user is extremely likely to be sitting at the console, and >> they are extremely likely to want to log into that console, >> and there is nothing which prevents them from logging in. We >> can provide warning messages for that user, and they can >> immediately fix the "error". > >I'm not sure why this would be considered not desirable or "bad" >in any other way. When the kernel is first compiled with the >firewalling code, it seem silly that anyone would, at that early >point, consider themselves firewalled. Well, actually, I can easily think of reasons a person might end up with the firewall compiled into the kernel, and why they might really want to come up in a completely-locked down environment. That may seem odd, but sometimes there are good reasons to be "very paranoid". I can also see that there should be some knob in rc.conf so a person can easily trigger this behavior. Note that they might want to do this *after* the initial install, where they have some reason where they want to reboot and immediately come up with the firewall blocking all network access. I really do not want to attack the intelligence of either group of users, since both groups have understandable reasons (IMO) for wanting the behavior that they want. Sometimes that happens. I just do not believe that the knob for this lockdown mode should be called 'firewall_enable=no', given the practical reality of what a user sees when they set 'foo_enable=no' for all other values of 'foo'. [and it turned out that the panic call I got in the middle of my previous message was due to a loose ethernet cable, and not a bunch of servers crashing, so that turned out to be easy... :-)] -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p05101417b880c67c06dc>