Date: Sat, 1 Nov 2014 16:16:07 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Freddie Cash <fjwcash@gmail.com> Cc: freebsd-net <freebsd-net@freebsd.org>, freebsd-ipfw@freebsd.org, FreeBSD Arch <freebsd-arch@freebsd.org> Subject: Re: any reason not to enable IPDIVERT for ipfw module? Message-ID: <20141101144834.N52402@sola.nimnet.asn.au> In-Reply-To: <CAOjFWZ7EZUHi%2B7VgQ53os4MYuZT6SSf89B1dQSPX-SZLrhFzzw@mail.gmail.com> References: <20141031191212.GO8852@funkthat.com> <CAOjFWZ7EZUHi%2B7VgQ53os4MYuZT6SSf89B1dQSPX-SZLrhFzzw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 31 Oct 2014 18:28:28 -0700, Freddie Cash wrote: > On Oct 31, 2014 12:12 PM, "John-Mark Gurney" <jmg@funkthat.com> wrote: > > > > Can any one think of a good reason not to enable IPDIVERT sockets in > > the ipfw module? Yes, two. Nowadays people are just as or perhaps more likely to use in-kernel NAT, loading ipfw_nat.ko instead of ipdivert.ko, and there's no good reason to add extra code to ipfw.ko unless it's going to be used. See libalias(3) /MODULAR ARCHITECTURE Similaly there'd be no reason to include dummynet code unless using it. > > And possibly enabling default to accept? That way you don't have to > > go to the console when you load the ipfw module because you forgot to > > auto add the accept all rule? :) That'd reverse some 15+ years of security policy, of having the firewall closed until you've loaded your ruleset, to cater to forgetfulness? :) > You can change the default rule to accept via loader.conf and it will be > set when the module is loaded. > > net.inet.IP.fw.default_to_accept or something Luke that. Yes, net.inet.ip.fw.default_to_accept=1 is a loader tunable, and can be set before ipfw is loaded, unlike the net.inet.ip.fw sysctls which don't exist until ipfw is loaded. Or it can be set to 0 to reverse policy if kernel has been built with 'options IPFIREWALL_DEFAULT_TO_ACCEPT'. Normally /etc/rc.d/ipfw takes care of loading ipfw_nat or ipdivert (or both if you wanted to use both natd(8) and ipfw_nat for some reason?) and/or dummynet, according to the rc.conf variables. I've added freebsd-ipfw@ to ccs, just because it seems relevant .. cheers, Ian > > something like: > > ==== //depot/projects/opencrypto/sys/modules/ipfw/Makefile#3 - > /home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile ==== > > --- /tmp/tmp.15774.16 2014-10-31 12:11:56.000000000 -0700 > > +++ /home/jmg/freebsd.p4/opencrypto/sys/modules/ipfw/Makefile > 2014-10-31 12:11:54.000000000 -0700 > > @@ -16,7 +16,10 @@ > > #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100 > > # > > #If you want it to pass all packets by default > > -#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT > > +CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT > > +# > > +#If you want divert sockets > > +CFLAGS+= -DIPDIVERT > > # > > > > .include <bsd.kmod.mk> > > > > -- > > John-Mark Gurney Voice: +1 415 225 5579 > > > > "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141101144834.N52402>