From owner-freebsd-doc Fri Jan 3 13:26:43 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D24F37B401 for ; Fri, 3 Jan 2003 13:26:42 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3E9C43F0F for ; Fri, 3 Jan 2003 13:26:38 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-b218.otenet.gr [212.205.244.226]) by mailsrv.otenet.gr (8.12.6/8.12.6) with ESMTP id h03LQN4V001333; Fri, 3 Jan 2003 23:26:25 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.6/8.12.6) with ESMTP id h03LQNh2003101; Fri, 3 Jan 2003 23:26:23 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.6/8.12.6/Submit) id h03LQHbG003096; Fri, 3 Jan 2003 23:26:17 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 3 Jan 2003 23:26:17 +0200 From: Giorgos Keramidas To: Nick Rogness Cc: Lucky Green , l.rizzo@iet.unipi.it, doc@freebsd.org Subject: Re: IPFW: suicidal defaults Message-ID: <20030103212617.GC2505@gothmog.gr> References: <000101c2b279$51d33ba0$6601a8c0@VAIO650> <20030102112914.P4054-100000@skywalker.rogness.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030102112914.P4054-100000@skywalker.rogness.net> Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2003-01-02 11:41, Nick Rogness wrote: > On Thu, 2 Jan 2003, Lucky Green wrote: > > Folks, > > A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup > > from the security branch) machine. Following the instruction in the > > Handbook at > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > > I recompiled the kernel with the required options and rebooted the > > machine. > > > > What I would have expected to happen is for there to be a new kernel > > that later on can be configured with firewall rules. But that is not > > what happened. Instead, IPFW defaults to block all IP traffic unless > > told otherwise: I was locked out of my machine! Which was on the other > > side of the planet from where I was physically located. > > > > Now I am all for shipping systems that are secure out-of-the-box, but > > defaulting an install to locking the admin out of his machine is not a > > nice thing to do. While I would argue that this should never be done, at > > the very least such a major trap should be mentioned in the Handbook so > > that administrators that follow the Handbook's step-by-step instructions > > know that they have to do so from the console, since in doing so they > > will lock themselves out remotely. > > Therefore, could you please be so kind and prevent others from shooting > > themselves into the foot as I did by > > > > 1) at least mention this danger *prominently* in the FreeBSD Handbook. > > Agreed. There should be a mention. However, someone has to write > it. Instead of bitchin about it, go ahead and submit a change > (bug report). Oh but it is documented. The sample configuration that one can find at /usr/src/sys/i386/conf/LINT includes a comment: # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. Ignoring this is not a fault of the documentation :( - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message