From owner-freebsd-security@FreeBSD.ORG  Thu Mar  4 18:23:39 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 701CB16A4CE
	for <freebsd-security@freebsd.org>;
	Thu,  4 Mar 2004 18:23:39 -0800 (PST)
Received: from host2u.net (host2u.net [161.58.237.224])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0FCE843D31
	for <freebsd-security@freebsd.org>;
	Thu,  4 Mar 2004 18:23:39 -0800 (PST)
	(envelope-from david@deassociates.com)
Received: from winxp1700 (host-209-214-99-221.sav.bellsouth.net
	[209.214.99.221])
	by host2u.net (8.12.11/8.12.6) with SMTP id i252NaoM030973
	for <freebsd-security@freebsd.org>;
	Thu, 4 Mar 2004 21:23:37 -0500 (EST)
Message-ID: <001801c40259$04be1ed0$6400a8c0@winxp1700>
From: "David Edwards" <david@deassociates.com>
To: <freebsd-security@freebsd.org>
References: <20040304074442.GA571@kolic.net>
Date: Thu, 4 Mar 2004 21:24:40 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Subject: ipfw question
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: David Edwards <david@deassociates.com>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2004 02:23:39 -0000

Hello folks.. I have a quick question ipfw in a 4.8 server..

In /etc/rc.conf, if you set this - firewall_type="OPEN", is it also
necessary for this options IPFIREWALL_DEFAULT_TO_ACCEPT in the kernel config
file?

I would think that using the first would be better because it can be
removed, thus allowing no one access, including yourself if you aren't
careful. Whereas the second method above, in the kernel config leaves it
open if no rules exist or if all rules are flushed. So the the big question
is, do I use both, one or the other? I know I can just do options
IPFIREWALL, but I want to ensure no way of locking myself out at initial
reboot, since this is a remote server. I am also aware of the risks of doing
it remotely. But I need to do this.

Thanks for your help.

David Edwards


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004