From: Tuomo S. <ti...@fo...> - 2005-09-02 11:42:29
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: > > I think that's awful. I second that. >>But forcing them to update the entry in the zones file >>and in shorewall.conf just seems wrong so the second proposal is to >>require a magic comment in the zone entry for the local computer zone >>name. I don't like magic comments, but adding a forth column in the >>zones file also seems wrong. >> >>If we remove the FW variable from shorewall.conf we can set it when we >>see the magic flag in the zone file comment field: >> > > Comments? I don't really like to change behaviour of $FW at all. But imho it would be better to replace s/fw/$FW/ in all samples. It's better to advice people to use $FW as firewall zone by default instead of using fw as firewall zone. Using $FW makes it clear that firewall zone is comehow "magic" zone. firewall system itself is not at all same as other zones, it's firewall system itself and it _is_ special case. I like current practise over proposals. It's clean and easy to understand by anybody having even basic knowledge of netfilter firewalling. And as before stated, it makes possible to have same configs in several firewalls by using different values of FW= in shorewall.conf. - -- Tuomo Soini <ti...@fo...> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org iD8DBQFDGDqbTlrZKzwul1ERAlOZAJ9HoJlZoM3blMchE1YYQFqdm1BinwCfYjvv DyKFjjys7RlXgEsMXmzl9sQ= =84a7 -----END PGP SIGNATURE----- |