From owner-freebsd-doc Sat Jan 4 0: 0:26 2003 Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 112AE37B401 for ; Sat, 4 Jan 2003 00:00:24 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1678A43ED4 for ; Sat, 4 Jan 2003 00:00:23 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h0480MNS034841 for ; Sat, 4 Jan 2003 00:00:22 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h0480MoZ034840; Sat, 4 Jan 2003 00:00:22 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C396937B401 for ; Fri, 3 Jan 2003 23:53:35 -0800 (PST) Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58B3343EA9 for ; Fri, 3 Jan 2003 23:53:35 -0800 (PST) (envelope-from shamrock@pakastelohi.cypherpunks.to) Received: by pakastelohi.cypherpunks.to (Postfix, from userid 1001) id 39DA73648A; Sat, 4 Jan 2003 08:53:23 +0100 (CET) Message-Id: <20030104075323.39DA73648A@pakastelohi.cypherpunks.to> Date: Sat, 4 Jan 2003 08:53:23 +0100 (CET) From: Lucky Green Reply-To: Lucky Green To: FreeBSD-gnats-submit@FreeBSD.org Cc: shamrock@cypherpunks.to X-Send-Pr-Version: 3.113 Subject: docs/46747: Handbook: missing IPFW foot-shooting warning Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 46747 >Category: docs >Synopsis: Handbook: missing IPFW foot-shooting warning >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Jan 04 00:00:22 PST 2003 >Closed-Date: >Last-Modified: >Originator: Lucky Green >Release: FreeBSD 4.6.2-RELEASE-p5 i386 >Organization: >Environment: System: FreeBSD pakastelohi.cypherpunks.to 4.6.2-RELEASE-p5 FreeBSD 4.6.2-RELEASE-p5 #0: Tue Dec 31 06:33:55 CET 2002 root@pakastelohi.cypherpunks.to:/usr/obj/usr/src/sys/PAKASTELOHI-20021231 i386 >Description: Even though LINT contains an IPFW foot-shooting warning, the step-by-step instructions on enabling IPFW at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html do not. Consequently, administrators following the above instructions to the letter are likely to lock themselves out of their machines. >How-To-Repeat: >Fix: Apply the following doc patch to /usr/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml *** chapter.sgml.orig Sat Jan 4 07:52:10 2003 --- chapter.sgml Sat Jan 4 08:34:58 2003 *************** *** 2048,2053 **** --- 2048,2067 ---- linkend="kernelconfig">) for more details on how to recompile your kernel. + + Warning + IPFW defaults to a policy of "deny ip from any to any". + If you do not add other rules during startup to allow access, + you will lock yourself out of the server upon + rebooting into a firewall-enabled kernel. It is therefore + suggested that you set firewall_type=open in /etc/rc.conf when first enabling + this feature, then refining the firewall rules in /etc/rc.firewall + after you've tested that the new kernel feature works properly. To be + on the safe side, you may wish to consider performing the initial + firewall configuration from the local console rather than + via ssh. + + There are currently three kernel configuration options relevant to IPFW: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message