From owner-freebsd-doc Thu Jan 2 8: 9:36 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 672FA37B401 for ; Thu, 2 Jan 2003 08:09:35 -0800 (PST) Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id B609343EC5 for ; Thu, 2 Jan 2003 08:09:34 -0800 (PST) (envelope-from shamrock@cypherpunks.to) Received: from VAIO650 (unknown [208.201.229.160]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by pakastelohi.cypherpunks.to (Postfix) with ESMTP id 1A8AA3662D; Thu, 2 Jan 2003 17:09:25 +0100 (CET) From: "Lucky Green" To: Cc: Subject: IPFW: suicidal defaults Date: Thu, 2 Jan 2003 08:09:19 -0800 Message-ID: <000101c2b279$51d33ba0$6601a8c0@VAIO650> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Folks, A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup from the security branch) machine. Following the instruction in the Handbook at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html I recompiled the kernel with the required options and rebooted the machine. What I would have expected to happen is for there to be a new kernel that later on can be configured with firewall rules. But that is not what happened. Instead, IPFW defaults to block all IP traffic unless told otherwise: I was locked out of my machine! Which was on the other side of the planet from where I was physically located. Now I am all for shipping systems that are secure out-of-the-box, but defaulting an install to locking the admin out of his machine is not a nice thing to do. While I would argue that this should never be done, at the very least such a major trap should be mentioned in the Handbook so that administrators that follow the Handbook's step-by-step instructions know that they have to do so from the console, since in doing so they will lock themselves out remotely. Therefore, could you please be so kind and prevent others from shooting themselves into the foot as I did by 1) at least mention this danger *prominently* in the FreeBSD Handbook. 2) ideally set IPFW defaults so that they don't screw up people's lives. Big thanks in advance, --Lucky Green, an otherwise very happy FreeBSD user To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message