From owner-freebsd-security@FreeBSD.ORG Fri Mar 5 07:52:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B59B316A4CE for ; Fri, 5 Mar 2004 07:52:41 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7698843D41 for ; Fri, 5 Mar 2004 07:52:40 -0800 (PST) (envelope-from nigel@sourcefire.com) Received: from localhost ([10.4.10.172]) (AUTH: PLAIN nhoughton, TLS: TLSv1/SSLv3,168bits,DES-CBC3-SHA) by gi.sourcefire.com with esmtp; Fri, 05 Mar 2004 10:52:38 -0500 Date: Fri, 5 Mar 2004 10:49:15 -0500 From: Nigel Houghton To: David Edwards Message-ID: <20040305154915.GA551@enterprise.sfeng.sourcefire.com> References: <20040304074442.GA571@kolic.net> <001801c40259$04be1ed0$6400a8c0@winxp1700> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <001801c40259$04be1ed0$6400a8c0@winxp1700> User-Agent: Mutt/1.4.2i cc: freebsd-security@freebsd.org Subject: Re: ipfw question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2004 15:52:41 -0000 On 0, David Edwards allegedly wrote: > Hello folks.. I have a quick question ipfw in a 4.8 server.. > > In /etc/rc.conf, if you set this - firewall_type="OPEN", is it also > necessary for this options IPFIREWALL_DEFAULT_TO_ACCEPT in the kernel config > file? No it is not necessary. firewall_type="open" means just that, it is open and everything is allowed. > > I would think that using the first would be better because it can be > removed, thus allowing no one access, including yourself if you aren't > careful. Whereas the second method above, in the kernel config leaves it > open if no rules exist or if all rules are flushed. So the the big question > is, do I use both, one or the other? I know I can just do options > IPFIREWALL, but I want to ensure no way of locking myself out at initial > reboot, since this is a remote server. I am also aware of the risks of doing > it remotely. But I need to do this. You are headed in the right direction, start with the "open" option and work from there, just be careful when you start adding rules and reloading rulesets. Allow what you need, and let the default deny take care of everything else. > > Thanks for your help. > > David Edwards > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > ------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr.