From owner-cvs-all Mon Mar 4 8:37:50 2002 Delivered-To: cvs-all@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4F5C137B400; Mon, 4 Mar 2002 08:37:38 -0800 (PST) Received: by gw.nectar.cc (Postfix, from userid 1001) id CD22348; Mon, 4 Mar 2002 10:37:34 -0600 (CST) Date: Mon, 4 Mar 2002 10:37:34 -0600 From: "Jacques A. Vidrine" To: cjclark@alum.mit.edu Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc.firewall rc.firewall6 Message-ID: <20020304163734.GB17780@hellblazer.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , cjclark@alum.mit.edu, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org References: <200202281451.g1SEpgY83070@freefall.freebsd.org> <20020304144420.GB17282@hellblazer.nectar.cc> <20020304082439.A87533@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020304082439.A87533@blossom.cjclark.org> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Mar 04, 2002 at 08:24:39AM -0800, Crist J. Clark wrote: > On Mon, Mar 04, 2002 at 08:44:20AM -0600, Jacques A. Vidrine wrote: > > On Thu, Feb 28, 2002 at 06:51:42AM -0800, Crist J. Clark wrote: > > > cjc 2002/02/28 06:51:42 PST > > > > > > Modified files: (Branch: RELENG_4) > > > etc rc.firewall rc.firewall6 > > > Log: > > > MFC: Bring rc.firewall{,6} more in line with the word and spirit of > > > rc.conf(5) and the files' inline documentation. > > > > > > src/etc/rc.firewall 1.45 > > > src/etc/rc.firewall6 1.11 > > > > I missed the discussion about this change. Would you mind giving me > > some background, or just a pointer to the discussion? > > > > This seems to change the default (firewall_type="UNKNOWN") from > > disallowing 127/8 on interfaces other than lo0 (i.e. it was > > disallowed, but now it is allowed). I'm not sure that such a change > > is appropriate for -STABLE. > > Not really. We don't explicitly disallow 127.0.0.0/8 since we are > denying it by default. Ah yes, that's right. > The "UNKNOWN" type is documented to mean, > > # UNKNOWN - disables the loading of firewall rules. > > According to the comments in rc.firewall. In the past, you still got, > > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > When it was "UNKNOWN." That sure doesn't look like the loading of > firewall rules was disabled. Yes, I understand the reasoning for the change going forward, and I agree with it. I'm just nervous about changes in the default behavior of the firewall code in -STABLE. > With the change, you get no rules loaded. This is actually "more > secure" and fail-safe since we don't even pass any traffic on the > loopback. I didn't think about the default deny. This change pretty much breaks machines with IPFIREWALL, but no setting for firewall_type. I don't think I care :-) > If one desires the old "UNKNOWN" behavior, there is the > "closed" option which was documented in both rc.conf(5) and > rc.firewall, but was un implemented. I added it with this change. Thanks for the briefing! Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message