From owner-freebsd-stable Mon Jan 28 14:37:32 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 094B337B402 for ; Mon, 28 Jan 2002 14:37:26 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g0SMbLo20374; Mon, 28 Jan 2002 15:37:22 -0700 (MST) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0SMbKx13269; Mon, 28 Jan 2002 15:37:20 -0700 (MST) (envelope-from imp@village.org) Date: Mon, 28 Jan 2002 15:37:04 -0700 (MST) Message-Id: <20020128.153704.109572342.imp@village.org> To: nate@yogotech.com Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] From: "M. Warner Losh" In-Reply-To: <15445.53283.957773.221016@caddis.yogotech.com> References: <15445.48617.802871.870971@caddis.yogotech.com> <20020128.151138.115627568.imp@village.org> <15445.53283.957773.221016@caddis.yogotech.com> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message: <15445.53283.957773.221016@caddis.yogotech.com> Nate Williams writes: : > My understanding of what I want and what you want, rendered in code : > excerpt form is: : > : > # Initialize IP filtering using ipfw : > # : > if /sbin/ipfw -q flush > /dev/null 2>&1; then : > ipfw_in_kernel=1 : > else : > ipfw_in_kernel=0 : > fi : > : > case ${ipfw_enable} in : > [Yy][Ee][Ss]) : > if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then : > ipfw_in_kernel=1 : > echo 'Kernel firewall module loaded' : > elif [ "${ipfw_in_kernel}" -eq 0 ]; then : > echo 'Warning: firewall kernel module failed to load' : > fi : > ;; : > esac : : This loads things automagically if 'firewall is enabled', and does : nothing if if the 'firewall isn't enabled'. No. It says if ipfw is enable, and not in the kernel, load it. : > case ${ipfw_in_kernel} in : > 1) : > ... (indentation <<) : > case ${ipfw_firewall_enable} in : : All of the above is just safety code. This says that "I know that I have IPFW in the kernel, but I want to disable its firewall functionality" : > *) : > if [ -r "${ipfw_script}" ]; then : > ... : > elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then : > echo 'Warning: kernel has firewall functionality,' \ : > 'but firewall rules are not enabled.' : > echo ' All ip services are disabled.' : > fi : : Which doesn't help much if you are not sitting at the console, but you : be seen once you login and check the logfiles. (Been there, done that, : hence the reason for my passioned opinions on this subject. :) Agreed. But the warning is there still. : Except the chicken/egg problem, I'm not sure how to get the old : 'default' functionality and still allow someone to easily 'disable' the : kernel. (Again, I don't care for the ipfw_firewall_disable variable. : Also, the name is a bit redundant, but now I'm picking nits. :) :) :) You missed the no clause of the case. If you set ipfw_firewall_enable=no, it will disable ipfw even if it is compiled into the kernel. This is failsafe, and would be very easy to document. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message