Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Jan 2002 14:52:03 -0600
From:      "Jacques A. Vidrine" <n@nectar.cc>
To:        C J Michaels <cjm2@earthling.net>
Cc:        stable@freebsd.org, imp@village.org
Subject:   Re: Proposed Solution To Recent "firewall_enable" Thread.  [Please Read]
Message-ID:  <20020128205203.GE42996@madman.nectar.cc>
In-Reply-To: <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv>
References:  <20020128192930.GA86720@student.uu.se> <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 28, 2002 at 03:18:53PM -0500, C J Michaels wrote:
> In light of all the recent ipfw hubub, I think I have a equitable solution
> for all.  Most or all of these have been suggested by others, I am just
> trying to put them into one consice proposal.

Thanks for the effort, CJ.
 
> I am going to propose the following changes:
> 1.  We rename the option to something like "firewall_load_rules" or
>     "firewall_enable_rules", etc...  Someone else can come up with a
>     short yet more concise variable name.

I don't see any value in renaming the knob for -STABLE.  Renaming it
for -CURRENT might be useful.

> 2.  We grandfather in the old option of "firewall_enable" so existing
>     rc.conf(5)'s are not broken.

It is easier to ensure no breakage by not renaming it. :-) Despite the
chatter here, the current name has apparently caused little confusion
in the over 2 years that it has been around.

That's not to say that it shouldn't be better documented.

> 2b. At some point in the future, with much fanfare and documentation,
>     and probably messages to FreeBSD-Security-Advisories we phase out
>     the old option completely, so we don't keep a kludge in the
>     system.

Any requirement for fanfare and messages to security-notifications
should be a red flag that the change was too disruptive.

> 4.  Explicitly document the effect of both "YES" and "NO" in rc.conf(5).

By golly, I think you've got it. :-)


For the record, I have no objection to renaming the knob in -STABLE as
Security Officer.  I do not believe that renaming will endanger any
existing systems (/etc is untouched during upgrades unless the
administrator does an explicit merge).  However, as a committer and
even as Joe User, I think it is an inappropriate change for the
-STABLE branch.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128205203.GE42996>