From owner-freebsd-stable  Sun Jan 27 23:51:18 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.karlsruhe.punkt.de (ns.karlsruhe.punkt.de [217.29.32.130])
	by hub.freebsd.org (Postfix) with ESMTP
	id C823B37B400; Sun, 27 Jan 2002 23:51:12 -0800 (PST)
Received: from hugo10.ka.punkt.de (kagate.punkt.de [194.77.232.254])
	by ns.karlsruhe.punkt.de (8.9.3/8.9.3) with ESMTP id IAA25762;
	Mon, 28 Jan 2002 08:52:51 +0100 (CET)
	(envelope-from hausen@punkt.de)
Received: (from ry93@localhost)
	by hugo10.ka.punkt.de (8.11.4/8.11.4) id g0S7p5414157;
	Mon, 28 Jan 2002 08:51:05 +0100 (CET)
	(envelope-from ry93)
From: "Patrick M. Hausen" <hausen@punkt.de>
Message-Id: <200201280751.g0S7p5414157@hugo10.ka.punkt.de>
Subject: Re: Firewall config non-intuitiveness
In-Reply-To: <20020127.120138.07163985.imp@village.org>
To: "M. Warner Losh" <imp@village.org>
Date: Mon, 28 Jan 2002 08:51:05 +0100 (CET)
Cc: charon@seektruth.org, dsyphers@uchicago.edu,
	security-officer@FreeBSD.ORG, stable@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL92 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Hi all!

In a long and tiring thread Warner Losh once wrote:

> : > The current behavior fails safe.  The current behavior is documented.
> : > I relied on that documentation when setting up my firewall.  Now you
> : > are wanting to change that documented behavior.  It is that way
> : > specifically so we fail safe.
> : 
> : The current behavior also renders systems unusable.  What good is having my 
> : web/mail server safe doing me if it can't process any mail or http requests?  
> : The default rc.conf says next to firewall_enable "Set to YES to enable 
> : firewall functionality," which implies that NO disables firewall 
> : functionality.  Which is read "disables firewall", not "disables custom 
> : firewall scripts."  I view the kernel as containing stuff that's 
> : _potentially_ used - I can have support in it for an ethernet card
> : that's not installed.  But the system doesn't hang looking for it.
> 
> Rendering the system unusable is fail safe.
> 
> : Anyway, the default rc.conf could have firewall_enable set to YES, which 
> : would make it "fail safe."
> 
> No.  That's not fail safe.  My machine will still break in an
> unacceptible way by this change.
> 
> Please write up the exact details that you want to do so that those on
> security-officer know exactly what you are proposing.  It is my
> understanding that you want to make enable_firewall=NO totally dyke
> out the firewall that was compiled into the kernel and be a totally
> open realy.  I know that this breaks at least one machine that I have,
> but I also know that this breaks our current fail-safe behavior, which
> I'm strongly opposed to.
> 
> However, I think I've become too embroiled in this issue, which is why
> I want the fine folks at security-officer@ to evaluate it (since I'm
> on that list, I'll refrain from doing more than stating my position).
> It just doesn't seem right to me.

Partly I agree with you, partly I think the original author is correct
in the way that the current behaviour is confusing at least to
novices. apm_enable="NO" -> disable apm. sendmail_enable="NO" -> disable
sendmail. firewall_enable="NO" -> you get the idea.
I'd suggest changing the name of the parameter to firewall_rules_enable
or firewall_script_enable, or ...

Wouldn't we get rid of this entire argument, if IPFIREWALL_DEFAULT_TO_ACCEPT
was the default for the kernel part of ipfw and there was an option
IPFIREWALL_DEFAULT_TO_DENY for anyone preferring the "old" behaviour?

Since it is recommended to explicitly state every rule in your config
file - with Cisco access lists as well as with ipfw - I assume
almost everyone has a "add deny all from any to any" line at the end of
his ruleset already? I'm currently in a project where I build a bridging
firewall. Seems like I need DEFAULT_TO_ACCEPT to get arp through.
I wouldn't mind if it became the default.

Regards,

Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message