From owner-freebsd-questions@FreeBSD.ORG  Mon Oct 10 15:27:24 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 307D816A41F
	for <freebsd-questions@freebsd.org>;
	Mon, 10 Oct 2005 15:27:24 +0000 (GMT)
	(envelope-from dopplecoder@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BEEE043D45
	for <freebsd-questions@freebsd.org>;
	Mon, 10 Oct 2005 15:27:23 +0000 (GMT)
	(envelope-from dopplecoder@gmail.com)
Received: by zproxy.gmail.com with SMTP id 40so152254nzk
	for <freebsd-questions@freebsd.org>;
	Mon, 10 Oct 2005 08:27:23 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=Neb2V88LCWfQYteb18RlgnDCckS9jKDyu54grTcDg1a+e9/7XM0VIhHP+VA89NZRq5mLkzlMBu4juahFuMXMg7Z/u3GAE5f2Eo+p16soZMUpezzKHdCfsnJWBI1jZuKATSvLkXygxRdorCoD3dDhHHi3qNAzP5yOL72OYP7fkWY=
Received: by 10.36.196.14 with SMTP id t14mr2850498nzf;
	Mon, 10 Oct 2005 08:27:23 -0700 (PDT)
Received: by 10.36.128.17 with HTTP; Mon, 10 Oct 2005 08:27:23 -0700 (PDT)
Message-ID: <45d750d20510100827s5500093cqac3ee9f636d4bc50@mail.gmail.com>
Date: Mon, 10 Oct 2005 11:27:23 -0400
From: Aaron Peterson <dopplecoder@gmail.com>
To: "Brian E. Conklin" <bconklin@masongeneral.com>
In-Reply-To: <CA513920FC73A14B964AB258D77EA8D6A4474D@mx1.masongeneral.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <CA513920FC73A14B964AB258D77EA8D6A4474D@mx1.masongeneral.com>
Cc: freebsd-questions@freebsd.org, Mark Cullen <mark.r.cullen@gmail.com>
Subject: Re: Converting from IPFW to IPFILTER
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Aaron Peterson <dopplecoder@gmail.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2005 15:27:24 -0000

On 10/10/05, Brian E. Conklin <bconklin@masongeneral.com> wrote:
>
> So I am assuming because IPFW is built into the kernel with a "default to
> deny" option, I will need an IPFW rule allowing everything? Or, can I cha=
nge
> my rc.conf to have IPFIREWALL_ENABLE=3D"NO"?
>

IPFW can be compiled static into the kernel, or it can be loaded as a
module.  My understanding is that when loading as a module, default
deny is your only option.  If you compile into the kernel with
"options IPFFIREWALL_DEFAULT_TO_ACCEPT" then you get the obvious
results.  This is all in the handbook by the way:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.ht=
ml

Aaron