Date: Sat, 4 Jan 2003 08:53:23 +0100 (CET) From: Lucky Green <shamrock@cypherpunks.to> To: FreeBSD-gnats-submit@FreeBSD.org Cc: shamrock@cypherpunks.to Subject: docs/46747: Handbook: missing IPFW foot-shooting warning Message-ID: <20030104075323.39DA73648A@pakastelohi.cypherpunks.to>
next in thread | raw e-mail | index | archive | help
>Number: 46747 >Category: docs >Synopsis: Handbook: missing IPFW foot-shooting warning >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Jan 04 00:00:22 PST 2003 >Closed-Date: >Last-Modified: >Originator: Lucky Green >Release: FreeBSD 4.6.2-RELEASE-p5 i386 >Organization: >Environment: System: FreeBSD pakastelohi.cypherpunks.to 4.6.2-RELEASE-p5 FreeBSD 4.6.2-RELEASE-p5 #0: Tue Dec 31 06:33:55 CET 2002 root@pakastelohi.cypherpunks.to:/usr/obj/usr/src/sys/PAKASTELOHI-20021231 i386 >Description: Even though LINT contains an IPFW foot-shooting warning, the step-by-step instructions on enabling IPFW at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html do not. Consequently, administrators following the above instructions to the letter are likely to lock themselves out of their machines. >How-To-Repeat: >Fix: Apply the following doc patch to /usr/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml *** chapter.sgml.orig Sat Jan 4 07:52:10 2003 --- chapter.sgml Sat Jan 4 08:34:58 2003 *************** *** 2048,2053 **** --- 2048,2067 ---- linkend="kernelconfig">) for more details on how to recompile your kernel.</para> + + <note><title>Warning</title> + <para>IPFW defaults to a policy of "deny ip from any to any". + If you do not add other rules during startup to allow access, + <emphasis>you will lock yourself out</emphasis> of the server upon + rebooting into a firewall-enabled kernel. It is therefore + suggested that you set firewall_type=open in /etc/rc.conf when first enabling + this feature, then refining the firewall rules in /etc/rc.firewall + after you've tested that the new kernel feature works properly. To be + on the safe side, you may wish to consider performing the initial + firewall configuration from the local console rather than + via <application>ssh</application>. + </para> + </note> <para>There are currently three kernel configuration options relevant to IPFW:</para> >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030104075323.39DA73648A>