In message <20020227141637.A28132@noc.untraceable.net>, Andrew Brown writes:
>>> >The version in -current now has '-D' now too, but unfortunately
>>> >etc/rc.d/ipmon has not yet been fixed to use it explicitly....
>>> 
>>> what do you mean?  the -D flag was added to ipmon_flags in
>>> /etc/defaults/rc.conf last july, so there's no need for "explicit" use
>>> of it.
>>
>>I mean that's the wrong way to use it.  Obviously there's been an
>>problem with people not including '-D' in their own /etc/rc.conf
>>settings, and if you think about it for a tiny wee moment longer you'll
>>hopefully realise that in the way /etc/rc.d/ipmon invokes 'ipmon' the
>>'-D' will _ALWAYS_ be absolutely required, and therefore the correct
>>solution is to explicitly use '-D' in that invocation (and to not rely
>>on admins keeping it in their /etc/rc.conf settings)!
>
>that line of reasoning leads to believing that *all* the settings in
>/etc/defaults/rc.conf should be set in the binaries, and only be able
>to be turned *off* through the use of flags.  that's just not right.
>the reason for flags and options is so that programs can serve
>multiple tasks.  being started automatically at boot time is only one
>task, and only hubris would lead one to believe that that was the best
>purpose.

Right, but a mandatory option doesn't make much sense, either.

Perhaps the rc.d file should specify -D for ipmon, since that flag is 
always required in this context?  The point is to get it out of 
rc.conf, where it's likely to be dropped by accident.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com