Date: Mon, 28 Jan 2002 15:33:05 -0500 (EST) From: Richard Glidden <rglidden@zaphod.wox.org> To: Nate Williams <nate@yogotech.com> Cc: freebsd-stable@FreeBSD.ORG Subject: RE: firewall config (CTFM) Message-ID: <20020128150458.E10891-100000@charon.acheron.localnet> In-Reply-To: <15445.37204.693732.376471@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jan 2002, Nate Williams wrote:
> Also, even *I* can't find answers to my questions with 30 minutes, and I
> know where to look, so I find you statement, well, to be brutally
> honest, both humerous and a little bit egotistical. :
man rc.conf:
firewall_enable
(bool) Set to ``NO'' if you do not want have firewall
rules loaded at startup, or ``YES'' if you do. If set
to ``YES'', and the kernel was not built with
IPFIREWALL, the ipfw kernel module will be loaded. See
also ipfilter_enable.
Obviously, NO means "Don't Load Firewall Rules." This implies, to me,
that some sort of defaults might be loaded, but what those defaults
are, who knows? What does the firewall do if there are no rules? Better
check what IPFIREWALL really means...
LINT:
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT. It is suggested that you set
# firewall_type=open in /etc/rc.conf when first enabling this feature,
# then refining the firewall rules in /etc/rc.firewall after you've
# tested that the new kernel feature works properly.
Ok, so if I don't load rules, I will lock myself out. So
firewall_enable="NO" + IPFIREWALL = instant lockout. Seems pretty clear.
What does rc.conf say?
firewall_enable="NO" # Set to YES to enable firewall functionality
Hrm. A little vague, but it's in line with what the man page says.
Besides, I shouldn't be looking at this file anyway, right?
The answers are there, and are not too difficult to find. The problem is
that the answer is spread across LINT and man rc.conf, plus there's a
vague statement in rc.conf and the variable name is misleading.
Depending on what documentation you stumble across, or how little
documentation you read, you don't get the right answer. Really, the man
page should be updated to include the information from LINT, so you know
that firewall_enable=NO may lock you out if to built the firewall into the
kernel, and the rc.conf comment should be adjusted in case people look
there instead of the man page.
The whole source of the confusion is that "firewall_enable" behaves
differently depending on whether or not you have IPFIREWALL defined in
your kernel. Without it, "firewall_enable='NO'" means to not load any
firewall functionality, and leave everything wide open. With IPFIREWALL
defined, it means to not load any custom rules, and do whatever is the
default in the kernel (deny or accept everything) which may lock you out.
The only good solution is to turn firewall_enable into a tri-state
variable, as has been suggested, or break the two options out into two
rc.conf variables. "firewall_enable" which enables or disables firewall
functionality (or controls loading of the module) and "firewall_rules"
which controls loading of the rules or not, for example. Of course, as
has been pointed out, this will break people's configurations, and should
probably wait for FreeBSD 5.0.
Thanks,
- Richard
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128150458.E10891-100000>