Date: Tue, 29 Jan 2002 05:00:02 -0800 (PST) From: "Siegbert Baude" <Siegbert.Baude@gmx.de> To: freebsd-bugs@FreeBSD.org Subject: Re: conf/34355: [PATCH] rc.conf comment misleading (firewall_enable) Message-ID: <200201291300.g0TD02I00611@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/34355; it has been noted by GNATS. From: "Siegbert Baude" <Siegbert.Baude@gmx.de> To: <freebsd-gnats-submit@FreeBSD.org>, <Gerhard.Sittig@gmx.net> Cc: Subject: Re: conf/34355: [PATCH] rc.conf comment misleading (firewall_enable) Date: Tue, 29 Jan 2002 13:55:45 +0100 The main reason of all the confusion is the comment's word "functionality". This is simply wrong, as the variable is not about the state/functionality of the firewall, but about the enabling of it. Gerhard's change removes this misleading word. Good. To point out the potential danger, just add another line to the comment in defaults/rc.conf: -firewall_enable="NO" # Set to YES to enable firewall functionality +firewall_enable="NO" # Set to YES to load firewall rulesets + # YOU CAN LOCK OUT YOURSELF: man 5 rc.conf ! Of course with updating man 5 rc.conf with the words taken from LINT/NOTES: firewall_enable (bool) Set to ``YES'' to load firewall rules at startup. If the kernel was not built with IPFIREWALL, the ipfw ker- nel module will be loaded. See also ipfilter_enable. + WARNING: The kernel option IPFIREWALL defaults to a policy + of "deny ip from any to any" and if you do not add other rules + during startup to allow access, YOU WILL LOCK YOURSELF OUT. + It is suggested that you set firewall_type=open in /etc/rc.conf + when first enabling this feature, then refining the firewall + rules in /etc/rc.firewall after you've tested that the new kernel + feature works properly. Further suggestions to change CURRENT rc variables can be found in http://docs.freebsd.org/cgi/getmsg.cgi?fetch=646699+0+current/freebsd-stable Siegbert Baude To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201291300.g0TD02I00611>