Date: Fri, 11 Oct 2013 05:22:49 +0200 From: "Michael Ross" <gmx@ross.cx> To: freebsd-questions@freebsd.org, "Chris Stankevitz" <chrisstankevitz@gmail.com> Subject: Re: NATD: net.inet.ip.fw.default_to_accept="1" vs firewall_type="OPEN" Message-ID: <op.w4rs0bh0g7njmm@michael-think> In-Reply-To: <CAPi0psuTj8YVhMve-qNsGcAEB9BLYH-fzA7=gmBpgfg%2BW5DdrA@mail.gmail.com> References: <CAPi0psuTj8YVhMve-qNsGcAEB9BLYH-fzA7=gmBpgfg%2BW5DdrA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 11 Oct 2013 04:38:45 +0200, Chris Stankevitz <chrisstankevitz@gmail.com> wrote: > Hello, > > Handbook section 31.9 describes the setup of NAT. > > Section 31.9.3 suggests net.inet.ip.fw.default_to_accept="1" "during > the first attempts to setup a firewall and NAT gateway". > > Section 31.9.5 suggests I "specify a predefined firewall ruleset that > allows anything in" with firewall_type="OPEN" > > Question: What is the difference between these two configurations (or > where can I go to learn the difference between the two)? > > Thank you, > > Chris Hello, ipfw always has one default rule, standard is 65535 deny ip from any to any If you set net.inet.ip.fw.default_to_accept="1", you get 65535 allow ip from any to any instead. Specifing firewall_type="OPEN" gives you an additional rule 65000 allow ip from any to any Now, if for example you execute ``ipfw flush'', thus deleting all rules, this deletes rule 65000, but the default rule stays in effect. With ...default_to_accept="0" ( standard setting ) you now have disabled all network connections and locked yourself out if you're working remote. HTH, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.w4rs0bh0g7njmm>