From owner-freebsd-questions@freebsd.org  Sun Dec  9 18:30:03 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 712BE1329DF7
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sun,  9 Dec 2018 18:30:03 +0000 (UTC)
 (envelope-from kudzu@tenebras.com)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com
 [IPv6:2607:f8b0:4864:20::82b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id CE88675476
 for <freebsd-questions@freebsd.org>; Sun,  9 Dec 2018 18:30:02 +0000 (UTC)
 (envelope-from kudzu@tenebras.com)
Received: by mail-qt1-x82b.google.com with SMTP id z16so9981853qtq.4
 for <freebsd-questions@freebsd.org>; Sun, 09 Dec 2018 10:30:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tenebras-com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
 bh=6seqLcOzTTcF9xlH+I0mVLsyxQSNmKAX1C57HEIi49M=;
 b=V0i+hCHMflirqtYZHlESAGYksYUpWT+eBFXLN2aMDYtWe6jGpJiTw7irIpRXXUDrut
 Xuy2mb1RhuLH1wLbVfTQxbVFwSkiSDLljrOsSJZkY20S0V/g+KnY9FBodKGe6VM9PrZS
 GW6MTRTTDVdRMuHqWMkN+7QNCkKBDgrMzJrWS0k8OjvnG4CL1aCRzaFqxx4R8Nm3k2bG
 U1+ebrdMxhhz6aC1CPWOAD+gl0z+hKtpxH5ZFxKfDQtHTOD2mF2JXa2p0TsE9QK6Ri/a
 LG23S6E0SANuSTQBpXbLJ9L9EleIVBhCRF+kf/4JoA/FzUDEsTyeFf29T9vKbHyBX9Y9
 HIwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to;
 bh=6seqLcOzTTcF9xlH+I0mVLsyxQSNmKAX1C57HEIi49M=;
 b=Iq4MM7Lma+TjYdzhkLpD5Z5lHK1p9ChXnDaHcyiyfxTPP9Jiij9x7polUuck60vIwf
 lMLZEX7j+0BSmfifq3e4z3FGAKY0ocg3C3SNobq+P0XoESkYUHFBigNIJePAFVrRi+Jr
 i2UYifnfEQLA+2MlpAbQJlbPiWG5FJe/nYRKSRWPwpKj+Sg0QYdBOqK66raFCXUadMg5
 ucr7gEHsLoStx+e1zeowDlbSN+P9OYO+h0LdVlw0nA+9QbqXxernf7PsKyNZ3dTCSAaS
 1r3Pif+SoK7KFYZ2jDqXvIRESL0aXPqf2MOXbW977PkDsdpwhtbZl/sa7d239daEghpJ
 v8yg==
X-Gm-Message-State: AA+aEWZEPJf3zVOBOxpcsBDNCXUYlWDgjUbC1PS4xROQbeBC2ihbCyXL
 m4hI/ZazJsYh65xuayOukwcq0MfHR/Pt9WY+PBJ6RnlN
X-Google-Smtp-Source: AFSGD/VGhraLNzWocfCewX6BsIyyIgcGg1JwTqJnmMKXUsZWRvWFo9UNJZP96XYOwKavD3WEFl4lsUe8fn1hDAF0INI=
X-Received: by 2002:a0c:aa84:: with SMTP id f4mr8891557qvb.243.1544380202143; 
 Sun, 09 Dec 2018 10:30:02 -0800 (PST)
MIME-Version: 1.0
References: <5C0D594C.2060407@gmail.com> <5C0D5BAB.5040404@gmail.com>
In-Reply-To: <5C0D5BAB.5040404@gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
Date: Sun, 9 Dec 2018 10:29:26 -0800
Message-ID: <CAHu1Y72L4yrgz_v5qS_vwdu3z1AeLaqHyM7NWOkrkJyNZODNDg@mail.gmail.com>
Subject: Re: Change IPFW default to allow
To: FreeBSD Questions <freebsd-questions@freebsd.org>
X-Rspamd-Queue-Id: CE88675476
X-Spamd-Result: default: False [-5.10 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-0.999,0];
 R_DKIM_ALLOW(-0.20)[tenebras-com.20150623.gappssmtp.com];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 DMARC_NA(0.00)[tenebras.com]; RCPT_COUNT_ONE(0.00)[1];
 TO_DN_ALL(0.00)[];
 DKIM_TRACE(0.00)[tenebras-com.20150623.gappssmtp.com:+];
 MX_GOOD(-0.01)[cached: alt1.aspmx.l.google.com];
 RCVD_IN_DNSWL_NONE(0.00)[b.2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; NEURAL_HAM_SHORT(-0.99)[-0.990,0];
 R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[];
 RCVD_TLS_LAST(0.00)[];
 IP_SCORE(-1.80)[ip: (-6.10), ipnet: 2607:f8b0::/32(-1.50), asn: 15169(-1.30),
 country: US(-0.09)]; 
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 RCVD_COUNT_TWO(0.00)[2]
X-Rspamd-Server: mx1.freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 18:30:03 -0000

On Sun, Dec 9, 2018 at 10:17 AM JD <jd1008@gmail.com> wrote:

> What a horrible (terribly insecure) suggestion for default operation of
> IPFW.


Default to accept merely means that the default rule - rule 65535 - permits
all traffic. It is useful when booting and getting all other services
operational. Loading a firewall ruleset changes that entirely.  Imagine a
situation in which your cloud instance tries to get a DHCP address and
routing information, only to fail because no packets can go in or out.

You haven't done this before, have you?

--=20
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mah=C4=81bh=C4=81rata