At 5:16 PM -0500 2/1/02, Benjamin P. Grubin wrote: > > I understand the first "error" (where the machine ends up completely >> open) is not desirable. It is very very bad. However, I >> think we can write some code to help out that user. That >> user is extremely likely to be sitting at the console, and >> they are extremely likely to want to log into that console, >> and there is nothing which prevents them from logging in. We >> can provide warning messages for that user, and they can >> immediately fix the "error". > >I'm not sure why this would be considered not desirable or "bad" >in any other way. When the kernel is first compiled with the >firewalling code, it seem silly that anyone would, at that early >point, consider themselves firewalled.
Well, actually, I can easily think of reasons a person might end up with the firewall compiled into the kernel, and why they might really want to come up in a completely-locked down environment. That may seem odd, but sometimes there are good reasons to be "very paranoid". I can also see that there should be some knob in rc.conf so a person can easily trigger this behavior. Note that they might want to do this *after* the initial install, where they have some reason where they want to reboot and immediately come up with the firewall blocking all network access. I really do not want to attack the intelligence of either group of users, since both groups have understandable reasons (IMO) for wanting the behavior that they want. Sometimes that happens. I just do not believe that the knob for this lockdown mode should be called 'firewall_enable=no', given the practical reality of what a user sees when they set 'foo_enable=no' for all other values of 'foo'. [and it turned out that the panic call I got in the middle of my previous message was due to a loose ethernet cable, and not a bunch of servers crashing, so that turned out to be easy... :-)] -- Garance Alistair Drosehn = [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Institute or [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message