Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 24 Feb 2002 21:23:38 +0200
From:      Giorgos Keramidas <keramida@freebsd.org>
To:        Dag-Erling Smorgrav <des@ofug.org>
Cc:        Jeff Palmer <scorpio@drkshdw.org>, freebsd-security@freebsd.org
Subject:   Re: Couple of concerns with default rc.firewall
Message-ID:  <20020224192337.GD21689@hades.hell.gr>
In-Reply-To: <xzpd6yuvndo.fsf@flood.ping.uio.no>
References:  <20020224104008.H14963-100000@mohegan.mohawk.net> <001901c1bd4e$3f03d8c0$0286a8c0@home.lan> <xzpd6yuvndo.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2002-02-24 17:46, Dag-Erling Smorgrav wrote:
> "Jeff Palmer" <scorpio@drkshdw.org> writes:
> > I'm not sure if you two are bored,  or what the problem is.
> 
> Maybe the problem is your attitude, and your inability and / or
> unwillingness to express yourself clearly.
> 
> If the question is "why don't any of the default policies in
> /etc/rc.firewall include a rule to let icmp packets through?", the
> answer is (probably) "because nobody cared enough add one".

Oh but they did :-)
Quoting rc.firewall:

        # Everything else is denied by default, unless the
        # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
        # config file.

I really don't see why we should beat this to death.

If the default firewall policy (compiled into the kernel) is to block all
IP packets, then rc.firewall sets up things so that certain things are
allowed anyway, and falls back to the default policy.

If the default compiled in-kernel policy is to allow everything, then
everything is passed through.

Jeff, is there some specific problem in the current rc.firewall code that
you want to have changed?  If so, then can you post a patch that makes thee
changes to the <freebsd-audit@freebsd.org> list?  Please?

There really is no need to fight about something, when we don't know what
that something is }:-)

Giorgos Keramidas                           FreeBSD Documentation Project
keramida@{freebsd.org,ceid.upatras.gr}      http://www.FreeBSD.org/docproj/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)

iD8DBQE8eT251g+UGjGGA7YRAmWCAJ4hl/wc03hkmMX5NXtxLJHCAeeKtACffjsk
T+PqIkTpd53UQiKTP0UEXpI=
=rPO+
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020224192337.GD21689>