Date: Mon, 28 Jan 2002 13:26:03 -0700 From: Nate Williams <nate@yogotech.com> To: Chad David <davidc@acns.ab.ca> Cc: Patrick Greenwell <patrick@stealthgeeks.net>, "Robert D. Hughes" <rob@robhughes.com>, Nate Williams <nate@yogotech.com>, Justin White <justinfinity@mac.com>, freebsd-stable@FreeBSD.ORG Subject: Re: firewall config (CTFM) Message-ID: <15445.46043.85910.572903@caddis.yogotech.com> In-Reply-To: <20020128132015.A66369@colnta.acns.ab.ca> References: <B95B566BD245174196CA4EE29E5818831B6469@HEXCH01.robhughes.com> <20020128113806.O95859-100000@rockstar.stealthgeeks.net> <20020128132015.A66369@colnta.acns.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> Could you please explain how the following makes sense? > > 1) I enable ipfw in my kernel > 2) I do not configure it to allow by default > 3) I reboot with firewall_enable="NO" > 4) The firewall defaults to allow > > If I set the default in my kernel config to deny, then that is exactly > what I want it to do. If I want it to allow by default then that is > what I will put in the kernel config. Can you give me a *REAL WORLD* example of when you would want this sort of setup once a box has been configured? (Seriously). Don't give me straw-man (if the box wasn't configured, etc...), since you could just as easily enable the firewall and it behaves the same. Basically, if you have a firewall, firewall_enable="NO" == firewall_enable="YES" if you don't touch /etc/rc.firewall or /etc/rc.firewall_script. > What you are asking for is that the firewall code not be enabled in the > kernel (same as allow ip from any to any), which goes against your > previous wishes when you compiled it into your kernel. Perhaps neither > is obvious, but who gets to win?. Why did you compile in the firewall if you don't want it enabled? In any case, the people arguing against are arguing for the sake of keeping past behavior, regardless of how logical it should be. "Let's keep those bugs, cause I've grown accustomed to them so long that I now expect them to be there. Screw any new users who want to use the system!" Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15445.46043.85910.572903>