From owner-freebsd-questions@FreeBSD.ORG Mon Oct 10 15:51:56 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2988316A41F for ; Mon, 10 Oct 2005 15:51:56 +0000 (GMT) (envelope-from dopplecoder@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id B775043D48 for ; Mon, 10 Oct 2005 15:51:55 +0000 (GMT) (envelope-from dopplecoder@gmail.com) Received: by zproxy.gmail.com with SMTP id 40so156617nzk for ; Mon, 10 Oct 2005 08:51:55 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EXTjoZm+xUxSaQ9cPXZZKzTUVX6FwuboO5ODQS+sGfDAOgUh0P0CvX0Hwt/tM27rfu1XpqPvcxj072BzOhzMv6UjoQ6d2yrpgMAKLVft3CTlUZkEVlkMI9eQ5zvl95LZE3JLxxFBJaTlQtw6t30XnuLkIJx4YFSXf/Pd0Pfb19Y= Received: by 10.36.247.62 with SMTP id u62mr1034594nzh; Mon, 10 Oct 2005 08:51:55 -0700 (PDT) Received: by 10.36.128.17 with HTTP; Mon, 10 Oct 2005 08:51:54 -0700 (PDT) Message-ID: <45d750d20510100851n45d9c4d3jd7966e188aa0d2b4@mail.gmail.com> Date: Mon, 10 Oct 2005 11:51:55 -0400 From: Aaron Peterson To: freebsd-questions@freebsd.org In-Reply-To: <45d750d20510100849y7fe92ab2pe2cedd0da9cf6c1e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <45d750d20510100849y7fe92ab2pe2cedd0da9cf6c1e@mail.gmail.com> Subject: Re: Converting from IPFW to IPFILTER X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Aaron Peterson List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2005 15:51:56 -0000 On 10/10/05, Aaron Peterson wrote: > Thanks. The problem is it is on a production machine that I can not have = down > for any length of time. So recompiling the kernel to remove IPFW support,= and > then configuring, troubleshooting, and tweaking IPFILTER would have acces= s > down too long. I'd prefer to switch back and forth from the command line > while I get IPFILTER configured and working correctly. Then on my next > quarterly BUILDWORLD, I can also recompile the kernel to remove IPFW supp= ort. You can add an ipfw rule (#1 for instance) allowing all traffic. However if you use other protocols besides IP on your network, this might have unexpected side effects. My understanding is that the default deny policy drops everything that isn't IP traffic, and there is no way to allow it using rules at that point. Someone please correct me if I'm wrong. A default accept policy with a "deny all" rule functions similarly, still allowing all non IP traffic. If you don't forsee this causing problems, you should be fine with a single "allow all" rule until your change window arrives. Aaron