From owner-freebsd-stable Mon Jan 28 14:41:17 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 6D39E37B416 for ; Mon, 28 Jan 2002 14:41:02 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id PAA10286; Mon, 28 Jan 2002 15:40:57 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0SMev171096; Mon, 28 Jan 2002 15:40:57 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15445.54136.731213.811969@caddis.yogotech.com> Date: Mon, 28 Jan 2002 15:40:56 -0700 To: "M. Warner Losh" Cc: nate@yogotech.com, cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] In-Reply-To: <20020128.153704.109572342.imp@village.org> References: <15445.48617.802871.870971@caddis.yogotech.com> <20020128.151138.115627568.imp@village.org> <15445.53283.957773.221016@caddis.yogotech.com> <20020128.153704.109572342.imp@village.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > : > # Initialize IP filtering using ipfw > : > # > : > if /sbin/ipfw -q flush > /dev/null 2>&1; then > : > ipfw_in_kernel=1 > : > else > : > ipfw_in_kernel=0 > : > fi > : > > : > case ${ipfw_enable} in > : > [Yy][Ee][Ss]) > : > if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then > : > ipfw_in_kernel=1 > : > echo 'Kernel firewall module loaded' > : > elif [ "${ipfw_in_kernel}" -eq 0 ]; then > : > echo 'Warning: firewall kernel module failed to load' > : > fi > : > ;; > : > esac > : > : This loads things automagically if 'firewall is enabled', and does > : nothing if if the 'firewall isn't enabled'. > > No. It says if ipfw is enable, and not in the kernel, load it. I'm in violent agreement with that. > : > case ${ipfw_in_kernel} in > : > 1) > : > ... (indentation <<) > : > case ${ipfw_firewall_enable} in > : > : All of the above is just safety code. > > This says that "I know that I have IPFW in the kernel, but I want to > disable its firewall functionality" Actually, this says I know that I have firewall in the kernel. The only time this code is used is when the firewall isn't statically compiled in, and it failed to load. > : > *) > : > if [ -r "${ipfw_script}" ]; then > : > ... > : > elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then > : > echo 'Warning: kernel has firewall functionality,' \ > : > 'but firewall rules are not enabled.' > : > echo ' All ip services are disabled.' > : > fi > : > : Which doesn't help much if you are not sitting at the console, but you > : be seen once you login and check the logfiles. (Been there, done that, > : hence the reason for my passioned opinions on this subject. :) > > Agreed. But the warning is there still. > > : Except the chicken/egg problem, I'm not sure how to get the old > : 'default' functionality and still allow someone to easily 'disable' the > : kernel. (Again, I don't care for the ipfw_firewall_disable variable. > : Also, the name is a bit redundant, but now I'm picking nits. :) :) :) > > You missed the no clause of the case. > > If you set ipfw_firewall_enable=no, it will disable ipfw even if it is > compiled into the kernel. Yes, and I think having this is a good thing. However, what are the default values for the variables? Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message