From owner-freebsd-bugs  Thu Jul 24 03:40:06 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id DAA21786
          for bugs-outgoing; Thu, 24 Jul 1997 03:40:06 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id DAA21764;
          Thu, 24 Jul 1997 03:40:02 -0700 (PDT)
Date: Thu, 24 Jul 1997 03:40:02 -0700 (PDT)
Message-Id: <199707241040.DAA21764@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: David Nugent <davidn@labs.usn.blaze.net.au>
Subject: Re: kern/4141: ipfw default rule should be compile-time option 
Reply-To: David Nugent <davidn@labs.usn.blaze.net.au>
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR kern/4141; it has been noted by GNATS.

From: David Nugent <davidn@labs.usn.blaze.net.au>
To: hsu@mail.clinet.fi
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/4141: ipfw default rule should be compile-time option 
Date: Thu, 24 Jul 1997 20:32:19 +1000

 >  ipfw default rule was changed to deny over a year ago.  This is the right
 >  thing in theory, but in practice it has been and still is a pain, causing
 >  configuration mistake or kernel/ipfw command difference always be fatal and
 >  requiring manual attendance.  Fine for pure firewalls and machines which
 ~
 >  This would be easy to fix by adding kernel compile option which would make
 >  ipfw default rule "allow" instead of "deny".  It would not harm anyone but
 >  would a lifesaver for us.
 >  
 >  >How-To-Repeat:
 >  
 >  Replace a -stable kernel from a month ago (I think) and -stable kernel from
 >  yesterday sup reboot, in a machine which has rc.firewall as "open".  ipfw
 >  command fails when trying to set default rule to allow, so no networking.
 >  
 >  >Fix:
 >  	
 >  >Audit-Trail:
 >  >Unformatted:
 >  
 
 
 Since Joerg is on holidays, I'll make his standard reply to this sort
 of request:
 
 Your email seemed to be truncated at this point, as the patch adding
 this feature was missing. Could you please resend?  :-)
 
 Regards,
 David
 
 PS: Yes, I think this is worth doing too. This would allow a remote
 booted machine with an nfs-mounted root filesystem to run the filewall
 code as well.
 
 -- 
 David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
 Voice +61-3-9791-9547  Data/BBS +61-3-9792-3507  3:632/348@fidonet
 davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/