From owner-freebsd-stable Mon Jan 28 12:33:44 2002 Delivered-To: freebsd-stable@freebsd.org Received: from zaphod.wox.org (CPE0050bae86969.cpe.net.cable.rogers.com [24.112.22.141]) by hub.freebsd.org (Postfix) with ESMTP id 0652F37B416 for ; Mon, 28 Jan 2002 12:33:20 -0800 (PST) Received: from localhost (rglidden@localhost) by zaphod.wox.org (8.11.6/8.11.6) with ESMTP id g0SKX5q10997; Mon, 28 Jan 2002 15:33:05 -0500 (EST) (envelope-from rglidden@zaphod.wox.org) Date: Mon, 28 Jan 2002 15:33:05 -0500 (EST) From: Richard Glidden X-X-Sender: rglidden@charon.acheron.localnet To: Nate Williams Cc: freebsd-stable@FreeBSD.ORG Subject: RE: firewall config (CTFM) In-Reply-To: <15445.37204.693732.376471@caddis.yogotech.com> Message-ID: <20020128150458.E10891-100000@charon.acheron.localnet> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 28 Jan 2002, Nate Williams wrote: > Also, even *I* can't find answers to my questions with 30 minutes, and I > know where to look, so I find you statement, well, to be brutally > honest, both humerous and a little bit egotistical. : man rc.conf: firewall_enable (bool) Set to ``NO'' if you do not want have firewall rules loaded at startup, or ``YES'' if you do. If set to ``YES'', and the kernel was not built with IPFIREWALL, the ipfw kernel module will be loaded. See also ipfilter_enable. Obviously, NO means "Don't Load Firewall Rules." This implies, to me, that some sort of defaults might be loaded, but what those defaults are, who knows? What does the firewall do if there are no rules? Better check what IPFIREWALL really means... LINT: # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set # firewall_type=open in /etc/rc.conf when first enabling this feature, # then refining the firewall rules in /etc/rc.firewall after you've # tested that the new kernel feature works properly. Ok, so if I don't load rules, I will lock myself out. So firewall_enable="NO" + IPFIREWALL = instant lockout. Seems pretty clear. What does rc.conf say? firewall_enable="NO" # Set to YES to enable firewall functionality Hrm. A little vague, but it's in line with what the man page says. Besides, I shouldn't be looking at this file anyway, right? The answers are there, and are not too difficult to find. The problem is that the answer is spread across LINT and man rc.conf, plus there's a vague statement in rc.conf and the variable name is misleading. Depending on what documentation you stumble across, or how little documentation you read, you don't get the right answer. Really, the man page should be updated to include the information from LINT, so you know that firewall_enable=NO may lock you out if to built the firewall into the kernel, and the rc.conf comment should be adjusted in case people look there instead of the man page. The whole source of the confusion is that "firewall_enable" behaves differently depending on whether or not you have IPFIREWALL defined in your kernel. Without it, "firewall_enable='NO'" means to not load any firewall functionality, and leave everything wide open. With IPFIREWALL defined, it means to not load any custom rules, and do whatever is the default in the kernel (deny or accept everything) which may lock you out. The only good solution is to turn firewall_enable into a tri-state variable, as has been suggested, or break the two options out into two rc.conf variables. "firewall_enable" which enables or disables firewall functionality (or controls loading of the module) and "firewall_rules" which controls loading of the rules or not, for example. Of course, as has been pointed out, this will break people's configurations, and should probably wait for FreeBSD 5.0. Thanks, - Richard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message