From owner-freebsd-bugs  Mon Jun 24 19:27:44 2002
Delivered-To: freebsd-bugs@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 97C7137B415; Mon, 24 Jun 2002 19:27:18 -0700 (PDT)
Received: from apollo.backplane.com (localhost [127.0.0.1])
	by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g5P2RIl1001764;
	Mon, 24 Jun 2002 19:27:18 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.12.3/8.12.3/Submit) id g5P2RIvn001763;
	Mon, 24 Jun 2002 19:27:18 -0700 (PDT)
	(envelope-from dillon)
Date: Mon, 24 Jun 2002 19:27:18 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200206250227.g5P2RIvn001763@apollo.backplane.com>
To: Chris Pepper <pepper@reppep.com>
Cc: <billf@FreeBSD.org>, freebsd-bugs@FreeBSD.org
Subject: Re: kern/39814: GENERIC kernel should include ipfw
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

    I'll update it.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


:>known issues and is being addressed already.
:>
:>
:>http://www.freebsd.org/cgi/query-pr.cgi?pr=39814
:
:	Then /usr/share/man/man7/firewall.7.gz should be updated, as 
:it claims a kernel rebuild is required for firewall usage:
:
:>IPFW KERNEL CONFIGURATION
:>      To use the ip firewall features of FreeBSD you must create a custom ker-
:>      nel with the IPFIREWALL option set.  The kernel defaults its firewall to
:>      deny all packets by default, which means that if you do not load in a
:>      permissive ruleset via /etc/rc.conf, rebooting into your new kernel will
:>      take the network offline and will prevent you from being able to access
:>      it if you are not sitting at the console.  It is also quite common to
:>      update a kernel to a new release and reboot before updating the binaries.
:>      This can result in an incompatibility between the ipfw(8) program and the
:>      kernel which prevents it from running in the boot sequence, also result-
:>      ing in an inaccessible machine.  Because of these problems the
:>      IPFIREWALL_DEFAULT_TO_ACCEPT kernel option is also available which
:>      changes the default firewall to pass through all packets.  Note, however,
:>      that this is a very dangerous option to set because it means your fire-
:>      wall is disabled during booting.  You should use this option while get-
:>      ting up to speed with FreeBSD firewalling, but get rid of it once you
:>      understand how it all works to close the loophole.  There is a third
:>      option called IPDIVERT which allows you to use the firewall to divert
:>      packets to a user program and is necessary if you wish to use natd(8) to
:>      give private internal networks access to the outside world.  If you want
:>      to be able to limit the bandwidth used by certain types of traffic, the
:>      DUMMYNET option must be used to enable ipfw pipe rules.
:
:
:						Chris Pepper
:-- 
:Chris Pepper:               <http://www.reppep.com/~pepper/>
:Rockefeller University:        <http://www.rockefeller.edu/>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message