From owner-freebsd-stable  Fri Jan 25 18: 2:48 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from pi.yip.org (pi.yip.org [199.45.111.121])
	by hub.freebsd.org (Postfix) with ESMTP id A177537B402
	for <stable@FreeBSD.ORG>; Fri, 25 Jan 2002 18:02:45 -0800 (PST)
Received: (from melange@localhost)
	by pi.yip.org (8.11.3/8.11.3) id g0Q22st04218
	for stable@FreeBSD.ORG; Fri, 25 Jan 2002 21:02:54 -0500 (EST)
	(envelope-from melange@yip.org)
Date: Fri, 25 Jan 2002 21:02:54 -0500
From: Bob K <melange@yip.org>
To: stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness
Message-ID: <20020125210254.B454@yip.org>
References: <20020125203328.A454@yip.org> <20020125173525.O55184-100000@rockstar.stealthgeeks.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020125173525.O55184-100000@rockstar.stealthgeeks.net>; from patrick@stealthgeeks.net on Fri, Jan 25, 2002 at 05:40:04PM -0800
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Fri, Jan 25, 2002 at 05:40:04PM -0800, Patrick Greenwell wrote:
> 
> > The problem is that you're not taking into account the installed base of
> > users who twiddle this knob.  How many angry firewall admins will come
> > into being when the behaviour suddenly stops being, "don't load any
> > firewall rules" and starts being, "disable the firewall"?
> 
> I could be mistaken, but it would seem to me that the number of
> individuals that really want to deny all traffic to and from their
> machine(which is the current result of setting firewall_enable to no)
> is relatively small.

If the variable name gets changed to, say, LOAD_FIREWALL_RULES, with the
rc scripts spitting out a warning (and otherwise behaving as expected)
if ENABLE_FIREWALL is encountered, then the number of people that gets
surprised by the change would be zero.  That number would be higher
than zero if the variable behaviour is changed.

As for people that want to deny all traffic, I can think of at least one
case where this might be desired:  People who only want connectivity
enabled after a PPP or SL/IP or some scripted link with user
intervention comes up.

-- 
Bob <melange@yip.org> | Please don't feed the sock puppet.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message