From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 11 03:41:09 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 607208EA
 for <freebsd-questions@freebsd.org>; Fri, 11 Oct 2013 03:41:09 +0000 (UTC)
 (envelope-from gmx@ross.cx)
Received: from www81.your-server.de (www81.your-server.de [213.133.104.81])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1E7DF22D7
 for <freebsd-questions@freebsd.org>; Fri, 11 Oct 2013 03:41:08 +0000 (UTC)
Received: from [188.96.36.171] (helo=michael-think)
 by www81.your-server.de with esmtpsa (TLSv1:AES256-SHA:256)
 (Exim 4.74) (envelope-from <gmx@ross.cx>)
 id 1VUTJa-0007O7-9O; Fri, 11 Oct 2013 05:22:58 +0200
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: freebsd-questions@freebsd.org, "Chris Stankevitz"
 <chrisstankevitz@gmail.com>
Subject: Re: NATD: net.inet.ip.fw.default_to_accept="1" vs firewall_type="OPEN"
References: <CAPi0psuTj8YVhMve-qNsGcAEB9BLYH-fzA7=gmBpgfg+W5DdrA@mail.gmail.com>
Date: Fri, 11 Oct 2013 05:22:49 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Michael Ross" <gmx@ross.cx>
Message-ID: <op.w4rs0bh0g7njmm@michael-think>
In-Reply-To: <CAPi0psuTj8YVhMve-qNsGcAEB9BLYH-fzA7=gmBpgfg+W5DdrA@mail.gmail.com>
User-Agent: Opera Mail/12.16 (Win32)
X-Authenticated-Sender: gmx@ross.cx
X-Virus-Scanned: Clear (ClamAV 0.97.6/17954/Thu Oct 10 04:58:03 2013)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2013 03:41:09 -0000

On Fri, 11 Oct 2013 04:38:45 +0200, Chris Stankevitz  
<chrisstankevitz@gmail.com> wrote:

> Hello,
>
> Handbook section 31.9 describes the setup of NAT.
>
> Section 31.9.3 suggests net.inet.ip.fw.default_to_accept="1" "during
> the first attempts to setup a firewall and NAT gateway".
>
> Section 31.9.5 suggests I "specify a predefined firewall ruleset that
> allows anything in" with firewall_type="OPEN"
>
> Question: What is the difference between these two configurations (or
> where can I go to learn the difference between the two)?
>
> Thank you,
>
> Chris

Hello,

ipfw always has one default rule, standard is

	65535 deny ip from any to any

If you set net.inet.ip.fw.default_to_accept="1", you get

	65535 allow ip from any to any

instead.


Specifing firewall_type="OPEN" gives you an additional rule

	65000 allow ip from any to any


Now, if for example you execute ``ipfw flush'', thus deleting all rules,
this deletes rule 65000, but the default rule stays in effect.
With ...default_to_accept="0" ( standard setting ) you now have disabled  
all network connections and locked yourself out if you're working remote.


HTH,
Michael