Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Jan 2002 17:05:48 -0800 (PST)
From:      Patrick Greenwell <patrick@stealthgeeks.net>
To:        "Thomas T. Veldhouse" <veldy@veldy.net>
Cc:        cjclark@alum.mit.edu, <stable@FreeBSD.ORG>
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020125165307.C54729-100000@rockstar.stealthgeeks.net>
In-Reply-To: <000c01c1a5ff$a4539870$0101a8c0@cascade>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, 25 Jan 2002, Thomas T. Veldhouse wrote:

> > > It only works the way
> > > complained about when you build your own custom kernel with IPFIREWALL
> and
> > > not with IPFIREWALL_DEFAULT_TO_ACCEPT.  At that point, I think the admin
> > > needs to educate one self.  I prefer to leave it as is, as it errs on
> the
> > > side of safety.
> >
> > I am not sure that making the system pretty much unusable really errs
> > on the side of safety. I guess brick, cut off from the world, is
> > pretty secure.  We always need to balance security versus other
> > factors and usability is one of the big ones.
>
> No -- it implies that you should know what you are doing if you are going to
> be building and installing new kernels and working on you firewall remotely.
> There is NOTHING stopping you from getting onto the machine with a good old
> fashioned keyboard.

You know, I continue to be amazed at the attitude that says that things
should be kept counter-intuitive and anyone who doesn't like it that way
is ignorant. What possible benefit is there in perpetuating mislabeled
behavior?

To me, it's very simple: there's this "firewall_enable" option in rc.conf,
and I think that reasonable people would infer that if you set it to "no"
it meant that you didn't want a firewall enabled(based on the name of the
variable), yet that is not what happens.

All the documentation reading in the world isn't going to make me think it's a
good idea to have "no" mean "yes" and I certainly don't think it's useful or
helpful to cast aspersions on individuals who want "no" to actually mean "no."

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
                     Stealthgeeks,LLC. Operations Consulting
                          http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125165307.C54729-100000>