On Fri, 25 Jan 2002, Thomas T. Veldhouse wrote:
> > > It only works the way
> > > complained about when you build your own custom kernel with IPFIREWALL
> and
> > > not with IPFIREWALL_DEFAULT_TO_ACCEPT. At that point, I think the admin
> > > needs to educate one self. I prefer to leave it as is, as it errs on
> the
> > > side of safety.
> >
> > I am not sure that making the system pretty much unusable really errs
> > on the side of safety. I guess brick, cut off from the world, is
> > pretty secure. We always need to balance security versus other
> > factors and usability is one of the big ones.
>
> No -- it implies that you should know what you are doing if you are going to
> be building and installing new kernels and working on you firewall remotely.
> There is NOTHING stopping you from getting onto the machine with a good old
> fashioned keyboard.
You know, I continue to be amazed at the attitude that says that things
should be kept counter-intuitive and anyone who doesn't like it that way
is ignorant. What possible benefit is there in perpetuating mislabeled
behavior?
To me, it's very simple: there's this "firewall_enable" option in rc.conf,
and I think that reasonable people would infer that if you set it to "no"
it meant that you didn't want a firewall enabled(based on the name of the
variable), yet that is not what happens.
All the documentation reading in the world isn't going to make me think it's a
good idea to have "no" mean "yes" and I certainly don't think it's useful or
helpful to cast aspersions on individuals who want "no" to actually mean "no."
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
Patrick Greenwell
Stealthgeeks,LLC. Operations Consulting
http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
