From owner-freebsd-stable  Fri Jan 25  8:56:10 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP
	id AC4BC37B41C; Fri, 25 Jan 2002 08:56:00 -0800 (PST)
Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id JAA06578;
	Fri, 25 Jan 2002 09:55:49 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id g0PGtmc43844;
	Fri, 25 Jan 2002 09:55:48 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15441.36372.572274.479242@caddis.yogotech.com>
Date: Fri, 25 Jan 2002 09:55:48 -0700
To: Nik Clayton <nik@FreeBSD.ORG>
Cc: Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness
In-Reply-To: <20020125092154.U53456@clan.nothing-going-on.org>
References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net>
	<20020125092154.U53456@clan.nothing-going-on.org>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

> > I recently got bit by this: I have firewall options configured into my
> > kernel, and made the mistake of thinking that in order to disable
> > this functionality to allow all traffic that I merely needed to remove the
> > firewall_enable paramater from my rc.conf since firewall_enable is set to NO in
> > /etc/defaults/rc.conf.
> > 
> > This did not have the intended result of disabling the firewall, rather a
> > default deny was applied. If firewall_enable is set to NO, wouldn't it make
> > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I
> > missing something?
> > 
> > Opinions welcome.
> 
> I've got a hunch this needs to be a tri-state variable.
> 
>    YES -- Load the firewall rules
>    NO  -- Do nothing, default policy is compiled in to the kernel
>    OFF -- Explicitly set net.inet.ip.fw.enable=0

Can you ever think of where 'NO' != 'OFF'.

In the case of a wide-open firewall, 'NO' == 'OFF' gives the same
functionality, and in the case of the default firewall setup (everything
filtered), the computer can't be used for anything, so I'd consider it a
mistake to enable the firewall with no rules *AND* have the network
connections enabled.

I think 'YES' and 'NO' would be fine.


Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message