Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 29 Jan 2002 05:00:02 -0800 (PST)
From:      "Siegbert Baude" <Siegbert.Baude@gmx.de>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: conf/34355: [PATCH] rc.conf comment misleading (firewall_enable)
Message-ID:  <200201291300.g0TD02I00611@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR conf/34355; it has been noted by GNATS.

From: "Siegbert Baude" <Siegbert.Baude@gmx.de>
To: <freebsd-gnats-submit@FreeBSD.org>, <Gerhard.Sittig@gmx.net>
Cc:  
Subject: Re: conf/34355: [PATCH] rc.conf comment misleading (firewall_enable)
Date: Tue, 29 Jan 2002 13:55:45 +0100

 The main reason of all the confusion is the comment's word "functionality".
 This is simply wrong, as the variable is not about the state/functionality of
 the firewall, but about the enabling of it. Gerhard's change removes this
 misleading word. Good.
 To point out the potential danger, just add another line to the comment in
 defaults/rc.conf:
 
 -firewall_enable="NO" # Set to YES to enable firewall functionality
 +firewall_enable="NO" # Set to YES to load firewall rulesets
 +                     # YOU CAN LOCK OUT YOURSELF: man 5 rc.conf !
 
 Of course with updating man 5 rc.conf with the words taken from LINT/NOTES:
 
 firewall_enable
     (bool) Set to ``YES'' to load firewall rules at startup.
     If the kernel was not built with IPFIREWALL, the ipfw ker-
     nel module will be loaded.  See also ipfilter_enable.
 +   WARNING:  The kernel option IPFIREWALL defaults to a policy
 +   of "deny ip from any to any" and if you do not add other rules
 +   during startup to allow access, YOU WILL LOCK YOURSELF OUT.
 +   It is suggested that you set firewall_type=open in /etc/rc.conf
 +   when first enabling this feature, then refining the firewall
 +   rules in /etc/rc.firewall after you've tested that the new kernel
 +   feature works properly.
 
 
 Further suggestions to change CURRENT rc variables can be found in
 http://docs.freebsd.org/cgi/getmsg.cgi?fetch=646699+0+current/freebsd-stable
 
 Siegbert Baude
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201291300.g0TD02I00611>