Patrick Greenwell <[EMAIL PROTECTED]> types:
> On Fri, 25 Jan 2002, Bob K wrote:
> > The problem is that you're not taking into account the installed base of
> > users who twiddle this knob. How many angry firewall admins will come
> > into being when the behaviour suddenly stops being, "don't load any
> > firewall rules" and starts being, "disable the firewall"?
> I could be mistaken, but it would seem to me that the number of
> individuals that really want to deny all traffic to and from their
> machine(which is the current result of setting firewall_enable to no)
> is relatively small.
Actually, that's the base you want to start with when building a
firewall. You then go on to allow in traffic that you want to pass
through.
This is really a security issue. If you're tweaking the firewall for a
machine, what do you want to happen if you screw so badly the rules
aren't loaded: 1) nobody can get to the machine, or 2) the machine is
wide open to the world. #1 is clearly the more secure behavior, and
thus makes sense as the default. Yes, it means that in the case where
you've built a custom kernel with a firewall and not set up any
firewall rules, the rc.conf firewall_enable variable is a bit odd;
after all, you've enabled the firewall already. If you want it to
behave the other way when you build a custom kernel, you
can. Personally, I think the current behavior of making things more
secure is the better default.
<mike
--
Mike Meyer <[EMAIL PROTECTED]> http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
