Date: Mon, 24 Jun 2002 19:27:18 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Chris Pepper <pepper@reppep.com> Cc: <billf@FreeBSD.org>, freebsd-bugs@FreeBSD.org Subject: Re: kern/39814: GENERIC kernel should include ipfw Message-ID: <200206250227.g5P2RIvn001763@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
I'll update it.
-Matt
Matthew Dillon
<dillon@backplane.com>
:>known issues and is being addressed already.
:>
:>
:>http://www.freebsd.org/cgi/query-pr.cgi?pr=39814
:
: Then /usr/share/man/man7/firewall.7.gz should be updated, as
:it claims a kernel rebuild is required for firewall usage:
:
:>IPFW KERNEL CONFIGURATION
:> To use the ip firewall features of FreeBSD you must create a custom ker-
:> nel with the IPFIREWALL option set. The kernel defaults its firewall to
:> deny all packets by default, which means that if you do not load in a
:> permissive ruleset via /etc/rc.conf, rebooting into your new kernel will
:> take the network offline and will prevent you from being able to access
:> it if you are not sitting at the console. It is also quite common to
:> update a kernel to a new release and reboot before updating the binaries.
:> This can result in an incompatibility between the ipfw(8) program and the
:> kernel which prevents it from running in the boot sequence, also result-
:> ing in an inaccessible machine. Because of these problems the
:> IPFIREWALL_DEFAULT_TO_ACCEPT kernel option is also available which
:> changes the default firewall to pass through all packets. Note, however,
:> that this is a very dangerous option to set because it means your fire-
:> wall is disabled during booting. You should use this option while get-
:> ting up to speed with FreeBSD firewalling, but get rid of it once you
:> understand how it all works to close the loophole. There is a third
:> option called IPDIVERT which allows you to use the firewall to divert
:> packets to a user program and is necessary if you wish to use natd(8) to
:> give private internal networks access to the outside world. If you want
:> to be able to limit the bandwidth used by certain types of traffic, the
:> DUMMYNET option must be used to enable ipfw pipe rules.
:
:
: Chris Pepper
:--
:Chris Pepper: <http://www.reppep.com/~pepper/>;
:Rockefeller University: <http://www.rockefeller.edu/>;
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250227.g5P2RIvn001763>