At 5:16 PM -0500 2/1/02, Benjamin P. Grubin wrote:
>  > I understand the first "error" (where the machine ends up completely
>>  open) is not desirable.  It is very very bad.  However, I
>>  think we can write some code to help out that user.  That
>>  user is extremely likely to be sitting at the console, and
>>  they are extremely likely to want to log into that console,
>>  and there is nothing which prevents them from logging in.  We
>>  can provide warning messages for that user, and they can
>>  immediately fix the "error".
>I'm not sure why this would be considered not desirable or "bad"
>in any other way.  When the kernel is first compiled with the
>firewalling code, it seem silly that anyone would, at that early
>point, consider themselves firewalled.

Well, actually, I can easily think of reasons a person might end
up with the firewall compiled into the kernel, and why they might
really want to come up in a completely-locked down environment.
That may seem odd, but sometimes there are good reasons to be
"very paranoid".

I can also see that there should be some knob in rc.conf so a
person can easily trigger this behavior.  Note that they might
want to do this *after* the initial install, where they have some
reason where they want to reboot and immediately come up with
the firewall blocking all network access.  I really do not want
to attack the intelligence of either group of users, since both
groups have understandable reasons (IMO) for wanting the behavior
that they want.  Sometimes that happens.

I just do not believe that the knob for this lockdown mode should
be called 'firewall_enable=no', given the practical reality of
what a user sees when they set 'foo_enable=no' for all other
values of 'foo'.

[and it turned out that the panic call I got in the middle of my
previous message was due to a loose ethernet cable, and not a
bunch of servers crashing, so that turned out to be easy... :-)]

Garance Alistair Drosehn            =   [EMAIL PROTECTED]
Senior Systems Programmer           or  [EMAIL PROTECTED]
Rensselaer Polytechnic Institute    or  [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to