From owner-cvs-all Mon Mar 4 8:24:47 2002 Delivered-To: cvs-all@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 872C237B402; Mon, 4 Mar 2002 08:24:41 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020304162441.BDNS2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Mon, 4 Mar 2002 16:24:41 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g24GOdw87581; Mon, 4 Mar 2002 08:24:39 -0800 (PST) (envelope-from cjc) Date: Mon, 4 Mar 2002 08:24:39 -0800 From: "Crist J. Clark" To: "Jacques A. Vidrine" , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc.firewall rc.firewall6 Message-ID: <20020304082439.A87533@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200202281451.g1SEpgY83070@freefall.freebsd.org> <20020304144420.GB17282@hellblazer.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020304144420.GB17282@hellblazer.nectar.cc>; from nectar@FreeBSD.org on Mon, Mar 04, 2002 at 08:44:20AM -0600 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 08:44:20AM -0600, Jacques A. Vidrine wrote: > On Thu, Feb 28, 2002 at 06:51:42AM -0800, Crist J. Clark wrote: > > cjc 2002/02/28 06:51:42 PST > > > > Modified files: (Branch: RELENG_4) > > etc rc.firewall rc.firewall6 > > Log: > > MFC: Bring rc.firewall{,6} more in line with the word and spirit of > > rc.conf(5) and the files' inline documentation. > > > > src/etc/rc.firewall 1.45 > > src/etc/rc.firewall6 1.11 > > I missed the discussion about this change. Would you mind giving me > some background, or just a pointer to the discussion? > > This seems to change the default (firewall_type="UNKNOWN") from > disallowing 127/8 on interfaces other than lo0 (i.e. it was > disallowed, but now it is allowed). I'm not sure that such a change > is appropriate for -STABLE. Not really. We don't explicitly disallow 127.0.0.0/8 since we are denying it by default. The "UNKNOWN" type is documented to mean, # UNKNOWN - disables the loading of firewall rules. According to the comments in rc.firewall. In the past, you still got, ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any When it was "UNKNOWN." That sure doesn't look like the loading of firewall rules was disabled. With the change, you get no rules loaded. This is actually "more secure" and fail-safe since we don't even pass any traffic on the loopback. If one desires the old "UNKNOWN" behavior, there is the "closed" option which was documented in both rc.conf(5) and rc.firewall, but was un implemented. I added it with this change. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message