Date: Thu, 21 Feb 2002 05:32:44 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: current@freebsd.org
Subject: HEADS UP: Minor rc.firewall{,6} Change
Message-ID: <20020221053244.S48401@blossom.cjclark.org>
next in thread | raw e-mail | index | archive | help
I just made a few _minor_ changes to the rc.firewall{,6} scripts. The
vast majority of users will not be affected. However, since a few may
be, and this is a security issue with the potential to cause some
subtle breakage, I felt a small HEADS UP was in order. (For the very
security conscious and paranoid, note that this change can only
"fail-safe" if people apply it blindly. You'll be "more secure," but
it may break stuff.)
If you do not use firewalling or rc.firewall{,6} at all (that is, you
do not have 'firewall_enable="YES"' and/or
'ipv6_firewall_enable="YES"') or if you use custom rc.firewall{,6}
scripts, you are not affected. Two groups of people who use the
provided firewall scripts are affected:
1) Those who put a rules file in the 'firewall_type' variable, or
2) Those who put a non-existent type in the 'firewall_type' variable.
In both cases, you will no longer get the rules,
100 pass all from any to any via lo0
200 deny all from any to 127.0.0.0/8
300 deny ip from 127.0.0.0/8 to any
In rc.firewall, and,
100 pass all from any to any via lo0
200 pass ipv6-icmp from :: to ff02::/16
300 pass ipv6-icmp from fe80::/10 to fe80::/10
400 pass ipv6-icmp from fe80::/10 to ff02::/16
In rc.firewall6 added to your firewall by the system scripts.
If you are in group (1), you should add whatever rules like these
_you_ want for _your_ site into your rule file. If you are in group
(2), use 'firewall_type="closed"' (which now works as advertised) will
give you the same effect as your current configuration.
The motivation for the change was mainly for the people in group
(1). Up until now, those rules were added _unconditionally_ by the
rc.network{,6} scripts. For people who want to define their own
rulesets outside of the simple ones provided in the rc.firewall{,6}
scripts, the system should make NO assumptions about your site's
policy and be adding rules.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020221053244.S48401>