Date: Fri, 3 Jan 2003 23:26:17 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Nick Rogness <nick@rogness.net> Cc: Lucky Green <shamrock@cypherpunks.to>, l.rizzo@iet.unipi.it, doc@freebsd.org Subject: Re: IPFW: suicidal defaults Message-ID: <20030103212617.GC2505@gothmog.gr> In-Reply-To: <20030102112914.P4054-100000@skywalker.rogness.net> References: <000101c2b279$51d33ba0$6601a8c0@VAIO650> <20030102112914.P4054-100000@skywalker.rogness.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-01-02 11:41, Nick Rogness <nick@rogness.net> wrote: > On Thu, 2 Jan 2003, Lucky Green wrote: > > Folks, > > A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup > > from the security branch) machine. Following the instruction in the > > Handbook at > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > > I recompiled the kernel with the required options and rebooted the > > machine. > > > > What I would have expected to happen is for there to be a new kernel > > that later on can be configured with firewall rules. But that is not > > what happened. Instead, IPFW defaults to block all IP traffic unless > > told otherwise: I was locked out of my machine! Which was on the other > > side of the planet from where I was physically located. > > > > Now I am all for shipping systems that are secure out-of-the-box, but > > defaulting an install to locking the admin out of his machine is not a > > nice thing to do. While I would argue that this should never be done, at > > the very least such a major trap should be mentioned in the Handbook so > > that administrators that follow the Handbook's step-by-step instructions > > know that they have to do so from the console, since in doing so they > > will lock themselves out remotely. > > Therefore, could you please be so kind and prevent others from shooting > > themselves into the foot as I did by > > > > 1) at least mention this danger *prominently* in the FreeBSD Handbook. > > Agreed. There should be a mention. However, someone has to write > it. Instead of bitchin about it, go ahead and submit a change > (bug report). Oh but it is documented. The sample configuration that one can find at /usr/src/sys/i386/conf/LINT includes a comment: # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. Ignoring this is not a fault of the documentation :( - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030103212617.GC2505>