Date: Sat, 26 Jul 1997 08:40:01 -0700 (PDT) From: Heikki Suonsivu <hsu@mail.clinet.fi> To: freebsd-bugs Subject: Re: kern/4141: ipfw default rule should be compile-time option Message-ID: <199707261540.IAA04415@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/4141; it has been noted by GNATS.
From: Heikki Suonsivu <hsu@mail.clinet.fi>
To: David Nugent <davidn@labs.usn.blaze.net.au>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/4141: ipfw default rule should be compile-time option
Date: Sat, 26 Jul 1997 18:32:14 +0300 (EET DST)
> ipfw default rule was changed to deny over a year ago. This is the right
> thing in theory, but in practice it has been and still is a pain, causing
> configuration mistake or kernel/ipfw command difference always be fatal and
> requiring manual attendance. Fine for pure firewalls and machines which
~
> This would be easy to fix by adding kernel compile option which would make
> ipfw default rule "allow" instead of "deny". It would not harm anyone but
> would a lifesaver for us.
Since Joerg is on holidays, I'll make his standard reply to this sort
of request:
Your email seemed to be truncated at this point, as the patch adding
this feature was missing. Could you please resend? :-)
NOTE! Before committing this check it through first and try it, I'm neither
an experienced kernel hacker nor I'm familiar with ipfw internals. I have
only tested it with one machine and it seemed to make things open by
default.
Please let me know if it gets committed and possible changes.
------------------
Index: ip_fw.c
===================================================================
RCS file: /usr/CVS/src/sys/netinet/ip_fw.c,v
retrieving revision 1.51.2.3
diff -c -r1.51.2.3 ip_fw.c
*** ip_fw.c 1997/06/20 23:05:33 1.51.2.3
--- ip_fw.c 1997/07/26 14:48:39
***************
*** 936,953 ****
void
ip_fw_init(void)
{
! struct ip_fw deny;
ip_fw_chk_ptr = ip_fw_chk;
ip_fw_ctl_ptr = ip_fw_ctl;
LIST_INIT(&ip_fw_chain);
! bzero(&deny, sizeof deny);
! deny.fw_prot = IPPROTO_IP;
! deny.fw_number = (u_short)-1;
! deny.fw_flg |= IP_FW_F_DENY;
! deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
! if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny))
panic(__FUNCTION__);
printf("IP packet filtering initialized, "
--- 936,957 ----
void
ip_fw_init(void)
{
! struct ip_fw default_rule;
ip_fw_chk_ptr = ip_fw_chk;
ip_fw_ctl_ptr = ip_fw_ctl;
LIST_INIT(&ip_fw_chain);
! bzero(&default_rule, sizeof default_rule);
! default_rule.fw_prot = IPPROTO_IP;
! default_rule.fw_number = (u_short)-1;
! #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
! default_rule.fw_flg |= IP_FW_F_ACCEPT;
! #else
! default_rule.fw_flg |= IP_FW_F_DENY;
! #endif
! default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
! if (check_ipfw_struct(&default_rule) == NULL || add_entry(&ip_fw_chain, &default_rule))
panic(__FUNCTION__);
printf("IP packet filtering initialized, "
***************
*** 955,960 ****
--- 959,967 ----
"divert enabled, ");
#else
"divert disabled, ");
+ #endif
+ #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+ printf("default to accept, ");
#endif
#ifndef IPFIREWALL_VERBOSE
printf("logging disabled\n");
-----------
Index: LINT
===================================================================
RCS file: /usr/CVS/src/sys/i386/conf/LINT,v
retrieving revision 1.286.2.25
diff -c -r1.286.2.25 LINT
*** LINT 1997/06/28 09:32:15 1.286.2.25
--- LINT 1997/07/26 14:43:14
***************
*** 335,340 ****
--- 335,341 ----
# dropped packets
options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
options IPDIVERT #divert sockets
+ options IPFIREWALL_DEFAULT_TO_ACCEPT # allow everything by default
options TCPDEBUG
------------
Regards,
David
PS: Yes, I think this is worth doing too. This would allow a remote
booted machine with an nfs-mounted root filesystem to run the filewall
code as well.
--
David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
Voice +61-3-9791-9547 Data/BBS +61-3-9792-3507 3:632/348@fidonet
davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
--
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-9-43542270 fax -4555276
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707261540.IAA04415>