From owner-freebsd-stable Sat Jan 26 23:48:56 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 289F937B400 for ; Sat, 26 Jan 2002 23:48:52 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g0R7mpo10697; Sun, 27 Jan 2002 00:48:51 -0700 (MST) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0R7mjx79156; Sun, 27 Jan 2002 00:48:45 -0700 (MST) (envelope-from imp@village.org) Date: Sun, 27 Jan 2002 00:46:56 -0700 (MST) Message-Id: <20020127.004656.53474822.imp@village.org> To: nate@yogotech.com Cc: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness From: "M. Warner Losh" In-Reply-To: <15443.44156.595426.139371@caddis.yogotech.com> References: <15443.42601.781625.356369@caddis.yogotech.com> <20020127.002337.37328950.imp@village.org> <15443.44156.595426.139371@caddis.yogotech.com> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message: <15443.44156.595426.139371@caddis.yogotech.com> Nate Williams writes: : > You still haven't responded to my comment that I have it setup like : > this on some of my boxes so that I can do things that don't fit in : > well with the current firewall paradigm. Nor to my comment that we : > shouldn't be changing a security feature in a fail*UN*safe way. : : Explain to me how disabling the firewall with 'FIREWALL_ENABLE=NO' can : be unsafe? Because I have the firewall compiled into my kernel with the setting to not pass any packets. Due to some strange network stuff on my end, I don't load the actual rules until way late in the boot process, later than the normal firewall rules. I go from having the system not passing any packets, to the system passing only those that the firewall rules allow. Most of the reason I do this is because I have to get data on usage patterns from another system, and can't do that early enough in the boot process. The rules I have are dynamic based on how much bandwidth the coop has used so far this month and other conditions that change from time to time. Right now we do default route AFTER we load the firewall rules. However, the usage data is on another machine, not on my local segment. We've also found that the wireless link we have does better when bandwidth limited during bad weather (again, the data isn't on the router, but on another machine not on its local segment). Another reason would be because we would be communicating with a host that accepts only ipsec connections. This too happens after the firewall rules are added. While we don't do this today, it won't be too long into the future before we do do this. : Can you show me *ANY* system that uses a closed down firewall that also : has FIREWALL_ENABLE=NO? That would be the only 'safe->unsafe' : transition, since otherwise the default firewall setup is wide-open. rover.village.org has such a setup today. : > I'll grant that I might be in the minority here, but I sure don't want : > my the ability to use my firewall going away after my "next" : > mergemaster change because you were helpful and unloaded/disabled : > stuff for me. : : Fixing something that's broken is still fixing something. If you don't : want a firewall, then why have it activated and enabled? (This is a : rhetorical question.) Because I don't want the automatic firewall rules to happen at the place in the boot sequence where they happen now. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message