From owner-freebsd-doc Thu Jan 2 10:40:41 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F142837B405 for ; Thu, 2 Jan 2003 10:40:38 -0800 (PST) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC32843EC2 for ; Thu, 2 Jan 2003 10:40:37 -0800 (PST) (envelope-from nick@rogness.net) Received: from skywalker.rogness.net (localhost [127.0.0.1]) by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h02IfN4X004259; Thu, 2 Jan 2003 11:41:23 -0700 (MST) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id h02IfLbk004256; Thu, 2 Jan 2003 11:41:22 -0700 (MST) X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs Date: Thu, 2 Jan 2003 11:41:11 -0700 (MST) From: Nick Rogness To: Lucky Green Cc: l.rizzo@iet.unipi.it, Subject: Re: IPFW: suicidal defaults In-Reply-To: <000101c2b279$51d33ba0$6601a8c0@VAIO650> Message-ID: <20030102112914.P4054-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 2 Jan 2003, Lucky Green wrote: > Folks, > A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup > from the security branch) machine. Following the instruction in the > Handbook at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > I recompiled the kernel with the required options and rebooted the > machine. > > What I would have expected to happen is for there to be a new kernel > that later on can be configured with firewall rules. But that is not > what happened. Instead, IPFW defaults to block all IP traffic unless > told otherwise: I was locked out of my machine! Which was on the other > side of the planet from where I was physically located. Do some research and testing before installing something at such a remote location. Basic SysAdmin-101 concepts. > > Now I am all for shipping systems that are secure out-of-the-box, but > defaulting an install to locking the admin out of his machine is not a > nice thing to do. While I would argue that this should never be done, at > the very least such a major trap should be mentioned in the Handbook so > that administrators that follow the Handbook's step-by-step instructions > know that they have to do so from the console, since in doing so they > will lock themselves out remotely. > Therefore, could you please be so kind and prevent others from shooting > themselves into the foot as I did by > > 1) at least mention this danger *prominently* in the FreeBSD Handbook. > Agreed. There should be a mention. However, someone has to write it. Instead of bitchin about it, go ahead and submit a change (bug report). > 2) ideally set IPFW defaults so that they don't screw up people's lives. > This is probably won't happen nor should it. A lot of firewalls come with default to deny. It is not as unusual as you would think. In fact, it makes sense to block by default. Nick Rogness -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPhSH0bvBDHaKKeQcEQJq4gCff11v7424NNafwIzKw7C/n5itNVAAn0vX 7AtuEb+7b8VWBUaDeUWP43b+ =2HIW -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message