From owner-freebsd-stable Sun Jan 27 12:58:35 2002 Delivered-To: freebsd-stable@freebsd.org Received: from nothing-going-on.demon.co.uk (pc-62-31-42-140-hy.blueyonder.co.uk [62.31.42.140]) by hub.freebsd.org (Postfix) with ESMTP id D9EFE37B438; Sun, 27 Jan 2002 12:58:14 -0800 (PST) Received: (from nik@localhost) by nothing-going-on.demon.co.uk (8.11.6/8.11.6) id g0RKSGh44133; Sun, 27 Jan 2002 20:28:16 GMT (envelope-from nik) Date: Sun, 27 Jan 2002 20:28:16 +0000 From: Nik Clayton To: Nate Williams Cc: Nik Clayton , Patrick Greenwell , stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020127202816.A40565@clan.nothing-going-on.org> References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net> <20020125092154.U53456@clan.nothing-going-on.org> <15441.36372.572274.479242@caddis.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15441.36372.572274.479242@caddis.yogotech.com>; from nate@yogotech.com on Fri, Jan 25, 2002 at 09:55:48AM -0700 Organization: FreeBSD Project Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 25, 2002 at 09:55:48AM -0700, Nate Williams wrote: > > > I recently got bit by this: I have firewall options configured into my > > > kernel, and made the mistake of thinking that in order to disable > > > this functionality to allow all traffic that I merely needed to remov= e the > > > firewall_enable paramater from my rc.conf since firewall_enable is se= t to NO in > > > /etc/defaults/rc.conf. > > >=20 > > > This did not have the intended result of disabling the firewall, rath= er a > > > default deny was applied. If firewall_enable is set to NO, wouldn't i= t make > > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, o= r am I > > > missing something? > > >=20 > > > Opinions welcome. > >=20 > > I've got a hunch this needs to be a tri-state variable. > >=20 > > YES -- Load the firewall rules > > NO -- Do nothing, default policy is compiled in to the kernel > > OFF -- Explicitly set net.inet.ip.fw.enable=3D0 >=20 > Can you ever think of where 'NO' !=3D 'OFF'. I'm working on the console of a machine on a network that I don't trust and where I've configured the network interfaces in rc.conf but haven't yet configured the firewall rules. Which happens on a fairly regular basis for me. N --=20 FreeBSD: The Power to Serve http://www.freebsd.org/ (__) FreeBSD Documentation Project http://www.freebsd.org/docproj/ \\\'',) \/ \= ^ --- 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- .\._/= _) --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxUYuAACgkQk6gHZCw343VVMwCeJwQFRl+7bpm2Rb00oxDkvo+r QykAni7wnGvS/wCSvsXJqCT1+XuTqSCm =lOsP -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message