From owner-freebsd-security@FreeBSD.ORG  Thu Feb  3 19:49:18 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1674B16A4CF
	for <freebsd-security@freebsd.org>;
	Thu,  3 Feb 2005 19:49:18 +0000 (GMT)
Received: from mtiwmhc12.worldnet.att.net (mtiwmhc12.worldnet.att.net
	[204.127.131.116])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 67EBB43D1F
	for <freebsd-security@freebsd.org>;
	Thu,  3 Feb 2005 19:49:09 +0000 (GMT)
	(envelope-from dwinner-lists@worldnet.att.net)
Received: from [10.10.100.49] (unknown[216.113.237.29])
          by worldnet.att.net (mtiwmhc12) with ESMTP
          id <2005020319490811200qra44e>
          (Authid: duanewinner);
          Thu, 3 Feb 2005 19:49:08 +0000
Message-ID: <42028032.2020701@att.net>
Date: Thu, 03 Feb 2005 14:49:06 -0500
From: Duane Winner <dwinner-lists@att.net>
User-Agent: Mozilla Thunderbird 1.0 (X11/20050125)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: need ipfw clarification
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Feb 2005 19:49:18 -0000

Hello,

I noticed that after enabling firewall in my kernel (5.3-release), my 
dmesg now gives me this:

ipfw2 initialized, divert disabled, rule-based forwarding disabled, 
default to accept, logging limited to 5 packets/entry by default


On 5.2.1, I used to get this:

ipfw2 initialized, divert disabled, rule-based forwarding enabled, 
default to accept, logging disabled

If both cases, I am adding this to my KERNEL config:

options         IPFIREWALL
options         IPFIREWALL_DEFAULT_TO_ACCEPT


It seems that the major difference between 5.2.1 and 5.3 is that now 
rule-based forwarding is disabled.

Is this correct? And what exactly is rule-based forwarding? I'm guessing 
that it doesn't really apply to my situation, as in these cases, I am 
using IPFW to create a deny all inbound to my laptop when I'm on the 
road. But I just want to make sure.

Thanks,
DW