From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 23 11:39:32 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EC64537B401
	for <questions@FreeBSD.org>; Wed, 23 Apr 2003 11:39:32 -0700 (PDT)
Received: from ns1.webwarrior.net (overlord-host99.dsl.visi.com
	[209.98.86.99])	by mx1.FreeBSD.org (Postfix) with ESMTP id 1585243FAF
	for <questions@FreeBSD.org>; Wed, 23 Apr 2003 11:39:32 -0700 (PDT)
	(envelope-from friar_josh@webwarrior.net)
Received: by ns1.webwarrior.net (Postfix, from userid 1003)
	id 19D06253D5; Wed, 23 Apr 2003 13:39:31 -0500 (CDT)
Date: Wed, 23 Apr 2003 13:39:31 -0500
From: Josh Paetzel <friar_josh@webwarrior.net>
To: felix@rapidaxcess.com
Message-ID: <20030423183931.GC93993@ns1.webwarrior.net>
References: <200304231929.MAA26105@rs2.rapidaxcess.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200304231929.MAA26105@rs2.rapidaxcess.com>
User-Agent: Mutt/1.4i
cc: questions@FreeBSD.org
Subject: Re: Firewall options
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2003 18:39:33 -0000

On Wed, Apr 23, 2003 at 12:29:46PM -0700, felix@rapidaxcess.com wrote:
> To whom it may concern:
> I am in the process of setting up my first firewalled machine, on the bench
> thank God.
> I have poured over the manual pages multiple times and am stuck here...
> 
> I seem to have everything under control with rules set up to allow me in on
> boot. Now I need to change the default rule (65535) to deny instead of accept.
> I have removed the kernel config line: options IPFIREWALL_DEFAULT_TO_ACCEPT
> recompiled and rebooted 2 times, still the default is accept.
> I hate to hack by adding a rule 65000 to deny just for a work around, if
> that would even work...
> Suggestions?
> 
> Thanks in advance! And keep up the great work, all of my servers run FreeBSD!
> 
> Bryan Felix
> felix@rapidaxcess.com
> 

Well, adding that rule would work, but it would be a hack.  Are you SURE you 
are booting the kernel you think you are?  Try renaming the kernel with the 
IPFIREWALL_DEFAULT_TO_ALLOW option removed to a different name and see if 
that's the kernel you're actually booting after the rebuild process.  I've 
seen two different 5.0 boxes in particular not boot the correct kernel after a 
rebuild in the last two weeks.

Josh