Date: Sun, 27 Jan 2002 20:28:16 +0000 From: Nik Clayton <nik@freebsd.org> To: Nate Williams <nate@yogotech.com> Cc: Nik Clayton <nik@FreeBSD.ORG>, Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020127202816.A40565@clan.nothing-going-on.org> In-Reply-To: <15441.36372.572274.479242@caddis.yogotech.com>; from nate@yogotech.com on Fri, Jan 25, 2002 at 09:55:48AM -0700 References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net> <20020125092154.U53456@clan.nothing-going-on.org> <15441.36372.572274.479242@caddis.yogotech.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, Jan 25, 2002 at 09:55:48AM -0700, Nate Williams wrote: > > > I recently got bit by this: I have firewall options configured into my > > > kernel, and made the mistake of thinking that in order to disable > > > this functionality to allow all traffic that I merely needed to remove the > > > firewall_enable paramater from my rc.conf since firewall_enable is set to NO in > > > /etc/defaults/rc.conf. > > > > > > This did not have the intended result of disabling the firewall, rather a > > > default deny was applied. If firewall_enable is set to NO, wouldn't it make > > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I > > > missing something? > > > > > > Opinions welcome. > > > > I've got a hunch this needs to be a tri-state variable. > > > > YES -- Load the firewall rules > > NO -- Do nothing, default policy is compiled in to the kernel > > OFF -- Explicitly set net.inet.ip.fw.enable=0 > > Can you ever think of where 'NO' != 'OFF'. I'm working on the console of a machine on a network that I don't trust and where I've configured the network interfaces in rc.conf but haven't yet configured the firewall rules. Which happens on a fairly regular basis for me. N -- FreeBSD: The Power to Serve http://www.freebsd.org/ (__) FreeBSD Documentation Project http://www.freebsd.org/docproj/ \\\'',) \/ \ ^ --- 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- .\._/_) [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxUYuAACgkQk6gHZCw343VVMwCeJwQFRl+7bpm2Rb00oxDkvo+r QykAni7wnGvS/wCSvsXJqCT1+XuTqSCm =lOsP -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127202816.A40565>