From owner-freebsd-stable Mon Jan 28 12:52:39 2002 Delivered-To: freebsd-stable@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 464F637B419 for ; Mon, 28 Jan 2002 12:52:04 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 2B5F158; Mon, 28 Jan 2002 14:52:03 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g0SKq3h43230; Mon, 28 Jan 2002 14:52:03 -0600 (CST) (envelope-from nectar) Date: Mon, 28 Jan 2002 14:52:03 -0600 From: "Jacques A. Vidrine" To: C J Michaels Cc: stable@freebsd.org, imp@village.org Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <20020128205203.GE42996@madman.nectar.cc> References: <20020128192930.GA86720@student.uu.se> <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1913.216.153.202.59.1012249133.squirrel@www1.27in.tv> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 28, 2002 at 03:18:53PM -0500, C J Michaels wrote: > In light of all the recent ipfw hubub, I think I have a equitable solution > for all. Most or all of these have been suggested by others, I am just > trying to put them into one consice proposal. Thanks for the effort, CJ. > I am going to propose the following changes: > 1. We rename the option to something like "firewall_load_rules" or > "firewall_enable_rules", etc... Someone else can come up with a > short yet more concise variable name. I don't see any value in renaming the knob for -STABLE. Renaming it for -CURRENT might be useful. > 2. We grandfather in the old option of "firewall_enable" so existing > rc.conf(5)'s are not broken. It is easier to ensure no breakage by not renaming it. :-) Despite the chatter here, the current name has apparently caused little confusion in the over 2 years that it has been around. That's not to say that it shouldn't be better documented. > 2b. At some point in the future, with much fanfare and documentation, > and probably messages to FreeBSD-Security-Advisories we phase out > the old option completely, so we don't keep a kludge in the > system. Any requirement for fanfare and messages to security-notifications should be a red flag that the change was too disruptive. > 4. Explicitly document the effect of both "YES" and "NO" in rc.conf(5). By golly, I think you've got it. :-) For the record, I have no objection to renaming the knob in -STABLE as Security Officer. I do not believe that renaming will endanger any existing systems (/etc is untouched during upgrades unless the administrator does an explicit merge). However, as a committer and even as Joe User, I think it is an inappropriate change for the -STABLE branch. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message