Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 Mar 2004 08:57:30 +0200
From:      Peter Pentchev <roam@ringlet.net>
To:        David Edwards <david@deassociates.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: ipfw question
Message-ID:  <20040305065729.GB747@straylight.m.ringlet.net>
In-Reply-To: <001801c40259$04be1ed0$6400a8c0@winxp1700>
References:  <20040304074442.GA571@kolic.net> <001801c40259$04be1ed0$6400a8c0@winxp1700>
next in thread | previous in thread | raw e-mail | index | archive | help 

--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=windows-1251
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Mar 04, 2004 at 09:24:40PM -0500, David Edwards wrote:
> Hello folks.. I have a quick question ipfw in a 4.8 server..
>=20
> In /etc/rc.conf, if you set this - firewall_type=3D"OPEN", is it also
> necessary for this options IPFIREWALL_DEFAULT_TO_ACCEPT in the kernel con=
fig
> file?

No, firewall_type=3D"open" will work even without the default-to-accept
kernel config option.

The presence or absence of the kernel configuration option determines
what rule 65535 will be at startup: at the initialization of the ipfw
framework, it places a rule numbered 65535, which is either 'allow' if
the option is present, or 'deny' if it is not.  The firewall_type=3D"open"
rc.conf knob determines the behavior of the /etc/rc.firewall script
(which can be overridden by setting firewall_script=3D"something else" in
/etc/rc.conf) - and rc.firewall's 'open' mode creates a rule numbered
65000.  Since ipfw terminates the rule search on the first match, rule
65000 will be processed before rule 65535, and the kernel's default will
never be considered - firewall_type=3D"open" trumps the presence or
absence of the IPFIREWALL_DEFAULT_TO_ACCEPT option.

G'luck,
Peter

--=20
Peter Pentchev	roam@ringlet.net    roam@sbnd.net    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If this sentence were in Chinese, it would say something else.

--z6Eq5LdranGa6ru8
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFASCTZ7Ri2jRYZRVMRAv+mAJ9EiC8Ndzc5xyfsQjGM0fV1rew02wCgqesp
pZfSre7p947ISNi2jF9EnwU=
=ithv
-----END PGP SIGNATURE-----

--z6Eq5LdranGa6ru8--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040305065729.GB747>