From owner-freebsd-hackers@FreeBSD.ORG  Mon Jul 29 10:45:32 2013
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id AAC619E0
 for <freebsd-hackers@freebsd.org>; Mon, 29 Jul 2013 10:45:32 +0000 (UTC)
 (envelope-from kpielorz_lst@tdx.co.uk)
Received: from mail.tdx.com (mail.tdx.com [62.13.128.18])
 by mx1.freebsd.org (Postfix) with ESMTP id 732702C98
 for <freebsd-hackers@freebsd.org>; Mon, 29 Jul 2013 10:45:32 +0000 (UTC)
Received: from Mail-PC.tdx.co.uk (storm.tdx.co.uk [62.13.130.251])
 (authenticated bits=0)
 by mail.tdx.com (8.14.3/8.14.3/) with ESMTP id r6TAjPTp095469
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
 for <freebsd-hackers@freebsd.org>; Mon, 29 Jul 2013 11:45:25 +0100 (BST)
Date: Mon, 29 Jul 2013 11:45:26 +0100
From: Karl Pielorz <kpielorz_lst@tdx.co.uk>
To: freebsd-hackers@freebsd.org
Subject: kldload ipfw, with IPFIREWALL_DEFAULT_TO_ACCEPT
Message-ID: <1D6BF13DFC536AFC94EC6D64@Mail-PC.tdx.co.uk>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 10:45:32 -0000


Hi,

I've got a number of 9.1 boxes, where we need to enable ipfw (by 
kldload'ing it).

I'm sure I saw a while ago a sysctl that would change the default ipfw 
config from 'deny all' to 'allow all' - even for a kldload? But I can't 
find it now.

The boxes have a number of CARP interfaces on them - and I don't want them 
getting blocked during the firewall load - as there's a chance they'll flip 
to MASTER etc. [as well as cutting everyone on, and going through the box 
off - even if only momentarily].

So if there's a sysctl for changing the default ipfw behaviour on loading, 
or someway of getting the ethernet interfaces to 'opt out' of ipfw (until 
I've added the 'allow all from any to any' rule) - that'd be great,

Thanks,

-Karl