Date: Mon, 24 Jun 2002 19:27:18 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Chris Pepper <pepper@reppep.com> Cc: <billf@FreeBSD.org>, freebsd-bugs@FreeBSD.org Subject: Re: kern/39814: GENERIC kernel should include ipfw Message-ID: <200206250227.g5P2RIvn001763@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
I'll update it. -Matt Matthew Dillon <dillon@backplane.com> :>known issues and is being addressed already. :> :> :>http://www.freebsd.org/cgi/query-pr.cgi?pr=39814 : : Then /usr/share/man/man7/firewall.7.gz should be updated, as :it claims a kernel rebuild is required for firewall usage: : :>IPFW KERNEL CONFIGURATION :> To use the ip firewall features of FreeBSD you must create a custom ker- :> nel with the IPFIREWALL option set. The kernel defaults its firewall to :> deny all packets by default, which means that if you do not load in a :> permissive ruleset via /etc/rc.conf, rebooting into your new kernel will :> take the network offline and will prevent you from being able to access :> it if you are not sitting at the console. It is also quite common to :> update a kernel to a new release and reboot before updating the binaries. :> This can result in an incompatibility between the ipfw(8) program and the :> kernel which prevents it from running in the boot sequence, also result- :> ing in an inaccessible machine. Because of these problems the :> IPFIREWALL_DEFAULT_TO_ACCEPT kernel option is also available which :> changes the default firewall to pass through all packets. Note, however, :> that this is a very dangerous option to set because it means your fire- :> wall is disabled during booting. You should use this option while get- :> ting up to speed with FreeBSD firewalling, but get rid of it once you :> understand how it all works to close the loophole. There is a third :> option called IPDIVERT which allows you to use the firewall to divert :> packets to a user program and is necessary if you wish to use natd(8) to :> give private internal networks access to the outside world. If you want :> to be able to limit the bandwidth used by certain types of traffic, the :> DUMMYNET option must be used to enable ipfw pipe rules. : : : Chris Pepper :-- :Chris Pepper: <http://www.reppep.com/~pepper/> :Rockefeller University: <http://www.rockefeller.edu/> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206250227.g5P2RIvn001763>