From owner-freebsd-bugs Tue Jul 22 00:00:10 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA11206 for bugs-outgoing; Tue, 22 Jul 1997 00:00:10 -0700 (PDT) Received: (from gnats@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA11180; Tue, 22 Jul 1997 00:00:06 -0700 (PDT) Resent-Date: Tue, 22 Jul 1997 00:00:06 -0700 (PDT) Resent-Message-Id: <199707220700.AAA11180@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, hsu@mail.clinet.fi Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA10847 for ; Mon, 21 Jul 1997 23:53:01 -0700 (PDT) Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4]) by hauki.clinet.fi (8.8.6/8.8.6) with ESMTP id JAA00638 for ; Tue, 22 Jul 1997 09:52:55 +0300 (EET DST) Received: (root@localhost) by katiska.clinet.fi (8.8.6/8.6.4) id JAA22970; Tue, 22 Jul 1997 09:52:55 +0300 (EET DST) Message-Id: <199707220652.JAA22970@katiska.clinet.fi> Date: Tue, 22 Jul 1997 09:52:55 +0300 (EET DST) From: Heikki Suonsivu Reply-To: hsu@mail.clinet.fi To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/4141: ipfw default rule should be compile-time option Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 4141 >Category: kern >Synopsis: ipfw default rule should be compile-time option >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Jul 22 00:00:03 PDT 1997 >Last-Modified: >Originator: Heikki Suonsivu >Organization: Clinet, Espoo, Finland >Release: FreeBSD 2.2-STABLE i386 >Environment: 2.2-STABLE. Just supped to find out that ipfw kernel interface has changed and kernel and ipfw have to be changed in sync. >Description: ipfw default rule was changed to deny over a year ago. This is the right thing in theory, but in practice it has been and still is a pain, causing configuration mistake or kernel/ipfw command difference always be fatal and requiring manual attendance. Fine for pure firewalls and machines which are not kept current, but we also ipfw for statistics collecting and network problem solving tool on machines which are otherwise intended to be open. This problem particularly harmful with machines which are usually managed remotely (I have more than 50 scattered around within 450km radius). This would be easy to fix by adding kernel compile option which would make ipfw default rule "allow" instead of "deny". It would not harm anyone but would a lifesaver for us. >How-To-Repeat: Replace a -stable kernel from a month ago (I think) and -stable kernel from yesterday sup reboot, in a machine which has rc.firewall as "open". ipfw command fails when trying to set default rule to allow, so no networking. >Fix: >Audit-Trail: >Unformatted: