From owner-freebsd-stable Fri Jan 25 10:40:36 2002 Delivered-To: freebsd-stable@freebsd.org Received: from paperbox.gvpl.ca (paperbox.gvpl.ca [199.60.107.1]) by hub.freebsd.org (Postfix) with ESMTP id 93FD437B416; Fri, 25 Jan 2002 10:40:25 -0800 (PST) Received: (from daemon@localhost) by paperbox.gvpl.ca (8.11.3/8.11.3) id g0PIe6r37069; Fri, 25 Jan 2002 10:40:06 -0800 (PST) (envelope-from scampbel@gvpl.ca) Received: from pochta.gvpl.victoria.bc.ca(199.60.106.7) by paperbox.gvpl.ca via smap (V2.1/2.1+anti-relay+anti-spam) id xma036838; Fri, 25 Jan 02 10:39:08 -0800 Received: from localhost (scampbel@localhost) by pochta.gvpl.victoria.bc.ca (8.11.6/8.11.6) with ESMTP id g0PIdBK42154; Fri, 25 Jan 2002 10:39:11 -0800 (PST) (envelope-from scampbel@gvpl.ca) Date: Fri, 25 Jan 2002 10:39:11 -0800 (PST) From: Scott Campbell X-X-Sender: To: Nate Williams Cc: Nik Clayton , Patrick Greenwell , Subject: Re: Firewall config non-intuitiveness In-Reply-To: <15441.36372.572274.479242@caddis.yogotech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 25 Jan 2002, Nate Williams wrote: > > > I recently got bit by this: I have firewall options configured into my > > > kernel, and made the mistake of thinking that in order to disable > > > this functionality to allow all traffic that I merely needed to remove the > > > firewall_enable paramater from my rc.conf since firewall_enable is set to NO in > > > /etc/defaults/rc.conf. > > > > > > This did not have the intended result of disabling the firewall, rather a > > > default deny was applied. If firewall_enable is set to NO, wouldn't it make > > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I > > > missing something? > > > > > > Opinions welcome. > > > > I've got a hunch this needs to be a tri-state variable. > > > > YES -- Load the firewall rules > > NO -- Do nothing, default policy is compiled in to the kernel > > OFF -- Explicitly set net.inet.ip.fw.enable=0 > > Can you ever think of where 'NO' != 'OFF'. > > In the case of a wide-open firewall, 'NO' == 'OFF' gives the same > functionality, and in the case of the default firewall setup (everything > filtered), the computer can't be used for anything, so I'd consider it a > mistake to enable the firewall with no rules *AND* have the network > connections enabled. > > I think 'YES' and 'NO' would be fine. Do we NEED the "firewall_enable" in rc.conf? Since we are enabling it in the kernel then we don't really have the option to enable/disable like other stuff (sendmail,sshd...) in rc.conf. Remove "firewall_enable" from rc.conf and then note in rc.conf that "firewall_type" must be used to change the behaviour of ipfw if ipfw has been enable in the kernel. And in /etc/defaults/rc.conf have "firewall_type="closed". I am probably missing something so please feel free to enlighten. Scott E. Campbell _______________________________ Computer Operations Greater Victoria Public Library Victoria BC CANADA scampbel@gvpl.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message