From owner-freebsd-hackers  Tue Sep 17 23:20:06 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA26566
          for hackers-outgoing; Tue, 17 Sep 1996 23:20:06 -0700 (PDT)
Received: from sdev.blaze.net.au (sdev.blaze.net.au [203.17.53.11])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA25968;
          Tue, 17 Sep 1996 23:18:53 -0700 (PDT)
Received: from localhost (davidn@localhost) by sdev.blaze.net.au (8.7.5/8.6.9) with SMTP id QAA04805; Wed, 18 Sep 1996 16:14:39 GMT
Date: Wed, 18 Sep 1996 16:14:38 +0000 ()
From: David Nugent <davidn@sdev.blaze.net.au>
To: Ollivier Robert <roberto@keltia.freenix.fr>
cc: hackers@freebsd.org, security@freebsd.org
Subject: Re: Could use a favor
In-Reply-To: <199609161856.UAA03226@keltia.freenix.fr>
Message-ID: <Pine.BSF.3.95.960918160936.2777O-100000@sdev.blaze.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 16 Sep 1996, Ollivier Robert wrote:

>> The only conclusion I have come at is that it is to allow only things 
>> that you especially allow to happen... The bad thing is that there is no 
>> switch to switch the firewall on/off. You compile a new kernel with the 
>> option for firewall and suddenly it accepts nothing over the network.
>
>Sure there is:
>
>By default all is off. To open (dangerous!!!)
>
>ipfw add 65000 pass all from any to any
>
>To close it again:
>
>ipfw delete 65000


I'm familiar with the theory of firewalls, but have never run
one so I lack the experience to fully understand this. But this
reply caught my attention.

Why is an (effectively) disabled firewall "dangerous"? Is it more
"dangerous" or exposed to security problems than a machine that
has been configured without a firewall at all?

It's just that it seems that limited firewalls are quite usful -
particularly for port redirection and so forth, and in particular
for preventing outgoing and incoming spam-email abusers. If
putting the firewall in place without being full enabled is
"dangerous", then I certainly want to know just how dangerous
that is before I go ahead and do it.


David Nugent, Unique Computing Pty Ltd - Melbourne, Australia
Voice +61-3-791-9547 Data/BBS +61-3-792-3507 3:632/348@fidonet
davidn@blaze.net.au http://www.blaze.net.au/~davidn