From owner-freebsd-doc Thu Jan 2 11:32:39 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67DE837B401 for ; Thu, 2 Jan 2003 11:32:38 -0800 (PST) Received: from mail.speakeasy.net (mail15.speakeasy.net [216.254.0.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDC6643E4A for ; Thu, 2 Jan 2003 11:32:37 -0800 (PST) (envelope-from jhb@FreeBSD.org) Received: (qmail 10823 invoked from network); 2 Jan 2003 19:32:42 -0000 Received: from unknown (HELO server.baldwin.cx) ([216.27.160.63]) (envelope-sender ) by mail15.speakeasy.net (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 2 Jan 2003 19:32:42 -0000 Received: from laptop.baldwin.cx (gw1.twc.weather.com [216.133.140.1]) by server.baldwin.cx (8.12.6/8.12.6) with ESMTP id h02JWYUT060686; Thu, 2 Jan 2003 14:32:35 -0500 (EST) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.5.2 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <003901c2b294$9f341610$6601a8c0@VAIO650> Date: Thu, 02 Jan 2003 14:32:40 -0500 (EST) From: John Baldwin To: Lucky Green Subject: RE: IPFW: suicidal defaults Cc: doc@FreeBSD.ORG, l.rizzo@iet.unipi.it, Nick Rogness Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 02-Jan-2003 Lucky Green wrote: > Nick wrote: >> Ummm, unless things have changed, just recompiling the >> kernel with >> 'options IPFIREWALL' won't enable your firewall. You need the >> corresponding option in /etc/rc.conf : >> >> firewall_enable="YES" >> >> If you recompiled your kernel with 'options IPFIREWALL' >> and didn't >> enable the above switch in /etc/rc.conf then your problem isn't >> the firewall blocking you. Chances are your kernel won't load >> properly on the machine the way you compiled it. > > I assure you that I didn't have firewall_enable="YES" set and yet the > firewall was turned on once my system came back from reboot. Stock 4.6.2 > install, security branch cvsup. I am looking at rc.* this very moment. > > If I had enabled the firewall in rc.conf, I would richly deserve > whatever punishment I got. :) > > One I finally got a hold of a guy on-site, his trying to use ping on the > server make it pretty obvious that that firewall was active. He added an > entry to rc.local that starts up the firewall with a more lenient rule > set, but I will look at /etc/defaults/rc.conf to figure out how IPFW is > supposed to be started up from rc.conf. > > I swear that the firewall came up without any changes to rc.conf, > otherwise I wouldn't have emailed you folks in the first place... Use 'firewall_enable="YES"' and 'firewall_type="open"' in /etc/rc.conf until you come up with a ruleset. Either that or compile your kernel with the option to default to allow when you compile the firewall in. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message