From owner-freebsd-doc  Thu Jan  2 11:24:57 2003
Delivered-To: freebsd-doc@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 47CA537B401
	for <doc@FreeBSD.ORG>; Thu,  2 Jan 2003 11:24:56 -0800 (PST)
Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BFD6F43ED8
	for <doc@FreeBSD.ORG>; Thu,  2 Jan 2003 11:24:55 -0800 (PST)
	(envelope-from shamrock@cypherpunks.to)
Received: from VAIO650 (unknown [208.201.229.160])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by pakastelohi.cypherpunks.to (Postfix) with ESMTP
	id 6C4EF36481; Thu,  2 Jan 2003 20:24:53 +0100 (CET)
From: "Lucky Green" <shamrock@cypherpunks.to>
To: "'Nick Rogness'" <nick@rogness.net>
Cc: <l.rizzo@iet.unipi.it>, <doc@FreeBSD.ORG>
Subject: RE: IPFW: suicidal defaults
Date: Thu, 2 Jan 2003 11:24:48 -0800
Message-ID: <003901c2b294$9f341610$6601a8c0@VAIO650>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
In-Reply-To: <20030102120754.P4054-100000@skywalker.rogness.net>
Importance: Normal
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-doc.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-doc>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-doc>
X-Loop: FreeBSD.org

Nick wrote:
> 	Ummm, unless things have changed, just recompiling the 
> kernel with
> 	'options IPFIREWALL' won't enable your firewall.  You need the
> 	corresponding option in /etc/rc.conf :
> 
> 		firewall_enable="YES"
> 
> 	If you recompiled your kernel with 'options IPFIREWALL' 
> and didn't
> 	enable the above switch in /etc/rc.conf then your problem isn't
> 	the firewall blocking you.  Chances are your kernel won't load
> 	properly on the machine the way you compiled it.

I assure you that I didn't have firewall_enable="YES" set and yet the
firewall was turned on once my system came back from reboot. Stock 4.6.2
install, security branch cvsup. I am looking at rc.* this very moment.

If I had enabled the firewall in rc.conf, I would richly deserve
whatever punishment I got. :)

One I finally got a hold of a guy on-site, his trying to use ping on the
server make it pretty obvious that that firewall was active. He added an
entry to rc.local that starts up the firewall with a more lenient rule
set, but I will look at /etc/defaults/rc.conf to figure out how IPFW is
supposed to be started up from rc.conf.

I swear that the firewall came up without any changes to rc.conf,
otherwise I wouldn't have emailed you folks in the first place...

--Lucky


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message