Date: Sun, 24 Feb 2002 11:08:20 -0500 (EST) From: Matt Piechota <piechota@argolis.org> To: Ralph Huntington <rjh@mohawk.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Couple of concerns with default rc.firewall Message-ID: <20020224110246.M17449-100000@cithaeron.argolis.org> In-Reply-To: <20020224104008.H14963-100000@mohegan.mohawk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 24 Feb 2002, Ralph Huntington wrote: > Maybe I'm missing the point, but doesn't "deny ip from any to any" (which > is the last rule in a block-all-by-default firewall) doesn't that mean to > block everything, meaning everything? Nothing would be allowed, not any > icmp of any type or anything else. In order to allow anything in > particular, that would have to be explicitly enabled in a prior (ipfw) > rule, is that not correct? I think the question is did the FreeBSD team intentionally (for the reasons of security) make the default install non-compliant with some RFCs (read: broken), or was it just not thought of? And second, should this be changed? I don't think the original poster was suggesting that deny ip from any to any shouldn't block anything, just asking should there be a rule in rc.firewall in the default install to allow ICMP so the machine is well behaved. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020224110246.M17449-100000>