From owner-freebsd-hackers  Wed Sep 18 01:27:25 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA02389
          for hackers-outgoing; Wed, 18 Sep 1996 01:27:25 -0700 (PDT)
Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02352;
          Wed, 18 Sep 1996 01:27:19 -0700 (PDT)
Received: (from danny@localhost) by panda.hilink.com.au (8.7.5/8.7.3) id SAA03973; Wed, 18 Sep 1996 18:25:21 +1000 (EST)
Date: Wed, 18 Sep 1996 18:25:19 +1000 (EST)
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: David Nugent <davidn@sdev.blaze.net.au>
cc: hackers@freebsd.org, security@freebsd.org
Subject: Re: Could use a favor
In-Reply-To: <Pine.BSF.3.95.960918160936.2777O-100000@sdev.blaze.net.au>
Message-ID: <Pine.BSF.3.91.960918175734.3641B-100000@panda.hilink.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk



On Wed, 18 Sep 1996, David Nugent wrote:

> I'm familiar with the theory of firewalls, but have never run
> one so I lack the experience to fully understand this. But this
> reply caught my attention.
> 
> Why is an (effectively) disabled firewall "dangerous"? Is it more
> "dangerous" or exposed to security problems than a machine that
> has been configured without a firewall at all?
> 
> It's just that it seems that limited firewalls are quite usful -
> particularly for port redirection and so forth, and in particular
> for preventing outgoing and incoming spam-email abusers. If
> putting the firewall in place without being full enabled is
> "dangerous", then I certainly want to know just how dangerous
> that is before I go ahead and do it.

I think it is simply a matter of if you configure IPFIREWALL into the 
kernel and then believe you are protected, then it is dangerous.  Ugen's 
ipfw originally had default policy open; Poul-Henning changed this to 
closed when he did a code revamp.  I think Poul-Henning has done the 
right thing, but it is a bit confusing when one meets a "Permission 
denied" error when trying to ping another machine.  Hence my submission 
of some minor mods to netstart and sysconfig which tell the user 
what s/he has done wrong.

Danny