From owner-freebsd-bugs  Sat Jul 26 08:40:04 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA04452
          for bugs-outgoing; Sat, 26 Jul 1997 08:40:04 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA04415;
          Sat, 26 Jul 1997 08:40:01 -0700 (PDT)
Date: Sat, 26 Jul 1997 08:40:01 -0700 (PDT)
Message-Id: <199707261540.IAA04415@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: Heikki Suonsivu <hsu@mail.clinet.fi>
Subject: Re: kern/4141: ipfw default rule should be compile-time option
Reply-To: Heikki Suonsivu <hsu@mail.clinet.fi>
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR kern/4141; it has been noted by GNATS.

From: Heikki Suonsivu <hsu@mail.clinet.fi>
To: David Nugent <davidn@labs.usn.blaze.net.au>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/4141: ipfw default rule should be compile-time option
Date: Sat, 26 Jul 1997 18:32:14 +0300 (EET DST)

     >  ipfw default rule was changed to deny over a year ago.  This is the right
     >  thing in theory, but in practice it has been and still is a pain, causing
     >  configuration mistake or kernel/ipfw command difference always be fatal and
     >  requiring manual attendance.  Fine for pure firewalls and machines which
     ~
     >  This would be easy to fix by adding kernel compile option which would make
     >  ipfw default rule "allow" instead of "deny".  It would not harm anyone but
     >  would a lifesaver for us.
 
     Since Joerg is on holidays, I'll make his standard reply to this sort
     of request:
 
     Your email seemed to be truncated at this point, as the patch adding
     this feature was missing. Could you please resend?  :-)
 
 NOTE! Before committing this check it through first and try it, I'm neither
 an experienced kernel hacker nor I'm familiar with ipfw internals.  I have
 only tested it with one machine and it seemed to make things open by
 default.
 
 Please let me know if it gets committed and possible changes.
 
 ------------------
 Index: ip_fw.c
 ===================================================================
 RCS file: /usr/CVS/src/sys/netinet/ip_fw.c,v
 retrieving revision 1.51.2.3
 diff -c -r1.51.2.3 ip_fw.c
 *** ip_fw.c	1997/06/20 23:05:33	1.51.2.3
 --- ip_fw.c	1997/07/26 14:48:39
 ***************
 *** 936,953 ****
   void
   ip_fw_init(void)
   {
 ! 	struct ip_fw deny;
   
   	ip_fw_chk_ptr = ip_fw_chk;
   	ip_fw_ctl_ptr = ip_fw_ctl;
   	LIST_INIT(&ip_fw_chain);
   
 ! 	bzero(&deny, sizeof deny);
 ! 	deny.fw_prot = IPPROTO_IP;
 ! 	deny.fw_number = (u_short)-1;
 ! 	deny.fw_flg |= IP_FW_F_DENY;
 ! 	deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
 ! 	if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny))
   		panic(__FUNCTION__);
   
   	printf("IP packet filtering initialized, "
 --- 936,957 ----
   void
   ip_fw_init(void)
   {
 ! 	struct ip_fw default_rule;
   
   	ip_fw_chk_ptr = ip_fw_chk;
   	ip_fw_ctl_ptr = ip_fw_ctl;
   	LIST_INIT(&ip_fw_chain);
   
 ! 	bzero(&default_rule, sizeof default_rule);
 ! 	default_rule.fw_prot = IPPROTO_IP;
 ! 	default_rule.fw_number = (u_short)-1;
 ! #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
 ! 	default_rule.fw_flg |= IP_FW_F_ACCEPT;
 ! #else
 ! 	default_rule.fw_flg |= IP_FW_F_DENY;
 ! #endif
 ! 	default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
 ! 	if (check_ipfw_struct(&default_rule) == NULL || add_entry(&ip_fw_chain, &default_rule))
   		panic(__FUNCTION__);
   
   	printf("IP packet filtering initialized, "
 ***************
 *** 955,960 ****
 --- 959,967 ----
   		"divert enabled, ");
   #else
   		"divert disabled, ");
 + #endif
 + #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
 + 	printf("default to accept, ");
   #endif
   #ifndef IPFIREWALL_VERBOSE
   	printf("logging disabled\n");
 -----------
 
 Index: LINT
 ===================================================================
 RCS file: /usr/CVS/src/sys/i386/conf/LINT,v
 retrieving revision 1.286.2.25
 diff -c -r1.286.2.25 LINT
 *** LINT	1997/06/28 09:32:15	1.286.2.25
 --- LINT	1997/07/26 14:43:14
 ***************
 *** 335,340 ****
 --- 335,341 ----
   					# dropped packets
   options		"IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
   options		IPDIVERT		#divert sockets
 + options		IPFIREWALL_DEFAULT_TO_ACCEPT # allow everything by default
   options		TCPDEBUG
   
   
 
 ------------
 
     Regards,
     David
 
     PS: Yes, I think this is worth doing too. This would allow a remote
     booted machine with an nfs-mounted root filesystem to run the filewall
     code as well.
 
     -- 
     David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
     Voice +61-3-9791-9547  Data/BBS +61-3-9792-3507  3:632/348@fidonet
     davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
 
 -- 
 Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
 mobile +358-40-5519679 work +358-9-43542270 fax -4555276