From owner-freebsd-stable  Sat Mar 25 19:45:28 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11])
	by hub.freebsd.org (Postfix) with ESMTP id C173437B8AD
	for <freebsd-stable@freebsd.org>; Sat, 25 Mar 2000 19:45:25 -0800 (PST)
	(envelope-from Doug@gorean.org)
Received: from gorean.org (doug@master [10.0.0.2])
	by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id TAA08244;
	Sat, 25 Mar 2000 19:45:13 -0800 (PST)
	(envelope-from Doug@gorean.org)
Message-ID: <38DD87C8.8D8FC976@gorean.org>
Date: Sat, 25 Mar 2000 19:45:12 -0800
From: Doug Barton <Doug@gorean.org>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 5.0-CURRENT-0322 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Tom Legg <tjlegg@shore.net>
Cc: freebsd-stable@freebsd.org
Subject: Re: Minor rc.network bug for 4.0 and ipfw
References: <p04310101b5032cb2a0b9@[207.244.92.51]>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Tom Legg wrote:

> The current situation creates a potential problem for 4.0 admins (at
> least I didn't notice it until I upgraded to the 4.0 kernel)

	This situation hasn't changed. It's always been this way. 
 
> If you compile a kernel with ipfw in the kernel but do nothing to
> modify /etc/defaults/rc.conf and boot, net.inet.ip.fw.enable is set
> to 1 and since the defaults for enable is NO, no further action is
> done upon the firewall scripts.

	The theory is that a sysadmin who is enabling these options will have
read the documentation and done what he can to properly prepare. For
those who are concerned about foot shooting, the "default to accept"
kernel option is available. 

	If you're really needing a secure firewall, it's more important that it
is secure from boot, with or without the ability to read the rc scripts.
If you don't need that level of security, other options are available to
you. 

Good luck,

Doug
-- 
    "So, the cows were part of a dream that dreamed itself into
existence? Is that possible?" asked the student incredulously.
    The master simply replied, "Mu."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message