From owner-freebsd-stable Mon Jan 28 12:21: 7 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail.acns.ab.ca (mail.acns.ab.ca [142.179.151.95]) by hub.freebsd.org (Postfix) with ESMTP id CDA3337B400 for ; Mon, 28 Jan 2002 12:20:21 -0800 (PST) Received: from colnta.acns.ab.ca (colnta.acns.ab.ca [192.168.1.2]) by mail.acns.ab.ca (8.11.6/8.11.3) with ESMTP id g0SKKGV18667; Mon, 28 Jan 2002 13:20:16 -0700 (MST) (envelope-from davidc@colnta.acns.ab.ca) Received: (from davidc@localhost) by colnta.acns.ab.ca (8.11.6/8.11.3) id g0SKKG766439; Mon, 28 Jan 2002 13:20:16 -0700 (MST) (envelope-from davidc) Date: Mon, 28 Jan 2002 13:20:15 -0700 From: Chad David To: Patrick Greenwell Cc: "Robert D. Hughes" , Nate Williams , Justin White , freebsd-stable@FreeBSD.ORG Subject: Re: firewall config (CTFM) Message-ID: <20020128132015.A66369@colnta.acns.ab.ca> Mail-Followup-To: Patrick Greenwell , "Robert D. Hughes" , Nate Williams , Justin White , freebsd-stable@FreeBSD.ORG References: <20020128113806.O95859-100000@rockstar.stealthgeeks.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020128113806.O95859-100000@rockstar.stealthgeeks.net>; from patrick@stealthgeeks.net on Mon, Jan 28, 2002 at 11:51:49AM -0800 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jan 28, 2002 at 11:51:49AM -0800, Patrick Greenwell wrote: > On Mon, 28 Jan 2002, Robert D. Hughes wrote: > > > While this will probably get me flamed to no end, users not reading the > > docs and keeping up with advisories (sys admins are users too) is only > > the cause of little things like nimda, code red, and probably at least > > 90% of all the other problems people report with any system. > > It's always amusing when "keyword commentators" chime in. You know the > type; a certain set of keywords trigger a post from these well-intentioned > folks that usually haven't bothered to read an entire thread. I can see that your attitude has done nothing but help you gain support for your position :). (and yes I have been reading this thread) > > I've said it repeatedly, but since you weren't paying attention, I'll say > it specifically for your benefit: there is no documentation on the > ineffectiveness of setting firewall_enable to no, anywhere. One is left to > their crystal ball and various and sundry scrying devices in order to > intuit that unlike setting firewall_enable to yes, setting firewall_enable > to no doesn't do anything and leaves you with a box that doesn't pass packets. Could you please explain how the following makes sense? 1) I enable ipfw in my kernel 2) I do not configure it to allow by default 3) I reboot with firewall_enable="NO" 4) The firewall defaults to allow If I set the default in my kernel config to deny, then that is exactly what I want it to do. If I want it to allow by default then that is what I will put in the kernel config. What you are asking for is that the firewall code not be enabled in the kernel (same as allow ip from any to any), which goes against your previous wishes when you compiled it into your kernel. Perhaps neither is obvious, but who gets to win?. It seems obvious to me that FreeBSD will not change the default to allow, so arguing for that is a waste of time; instead, I would recommend fixing the documentation. One of the things I would recommend documenting very clearly is that you DO NOT NEED TO COMPILE IPFW INTO THE KERNEL. Load the module. If you left it out of your kernel, and used the module for what it was designed for then firewall_enable="NO" would do exactly what you want it to do. > > [insert obligatory follow-up argument from other parties that says that > people that are smart enough to compile a firewall into their kernel > aren't smart enough to enable it so it needs to be done for them > regardless.] Again, I don't see how that helped, but... When I consider how many times a day my webserver gets hit with spam from windows machines that are run by admins who do not know how to apply patches, a lot of my concern for folks who want to run network services, but do not know, how goes away. What they need is documentation, not a configuration system that reads like english (or whatever). If you have any constructive comments about the exsiting docs, and would like to supply patches (or even raw text), I'm sure somebody would be willing to commit them for you (I would even format them for you if you wanted). There are two places I would start, firewall(7), and rc.conf(5). For the group at large, does FreeBSD recommend ipfw be compiled into the kernel (for general use), and if so what is the module for? If we change the documented recommendation (firewall(7)) from compiling it in to using the module, new users would get behaviour they seem to expect from firewall_enable="XXX", while more experienced users would be left with the existing behaviour. Let me point out that my personal preference is for deny to be the default, and that if I make a mistake in the config that it defaults to locking everything out (note that I protect real assets behind firewalls). -- Chad David davidc@acns.ab.ca www.FreeBSD.org davidc@freebsd.org ACNS Inc. Calgary, Alberta Canada Fourthly, The constant breeders, beside the gain of eight shillings sterling per annum by the sale of their children, will be rid of the charge of maintaining them after the first year. - Johnathan Swift To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message