From owner-freebsd-stable Mon Jan 28 14:47:28 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rover.village.org (rover.bsdimp.com [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 6C2E337B400 for ; Mon, 28 Jan 2002 14:47:19 -0800 (PST) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.11.3/8.11.3) with ESMTP id g0SMlEo20459; Mon, 28 Jan 2002 15:47:15 -0700 (MST) (envelope-from imp@village.org) Received: from localhost (warner@rover2.village.org [10.0.0.1]) by harmony.village.org (8.11.6/8.11.6) with ESMTP id g0SMlDx13364; Mon, 28 Jan 2002 15:47:13 -0700 (MST) (envelope-from imp@village.org) Date: Mon, 28 Jan 2002 15:46:56 -0700 (MST) Message-Id: <20020128.154656.123855750.imp@village.org> To: nate@yogotech.com Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] From: "M. Warner Losh" In-Reply-To: <15445.54136.731213.811969@caddis.yogotech.com> References: <15445.53283.957773.221016@caddis.yogotech.com> <20020128.153704.109572342.imp@village.org> <15445.54136.731213.811969@caddis.yogotech.com> X-Mailer: Mew version 2.1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message: <15445.54136.731213.811969@caddis.yogotech.com> Nate Williams writes: : > : > # Initialize IP filtering using ipfw : > : > # : > : > if /sbin/ipfw -q flush > /dev/null 2>&1; then : > : > ipfw_in_kernel=1 : > : > else : > : > ipfw_in_kernel=0 : > : > fi : > : > : > : > case ${ipfw_enable} in : > : > [Yy][Ee][Ss]) : > : > if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then : > : > ipfw_in_kernel=1 : > : > echo 'Kernel firewall module loaded' : > : > elif [ "${ipfw_in_kernel}" -eq 0 ]; then : > : > echo 'Warning: firewall kernel module failed to load' : > : > fi : > : > ;; : > : > esac : > : : > : This loads things automagically if 'firewall is enabled', and does : > : nothing if if the 'firewall isn't enabled'. : > : > No. It says if ipfw is enable, and not in the kernel, load it. : : I'm in violent agreement with that. : : > : > case ${ipfw_in_kernel} in : > : > 1) At this point we know we have ipfw in the kernel, either statically or dynamically loaded. : > : > ... (indentation <<) : > : > case ${ipfw_firewall_enable} in : > : : > : All of the above is just safety code. : > : > This says that "I know that I have IPFW in the kernel, but I want to : > disable its firewall functionality" : : Actually, this says I know that I have firewall in the kernel. The only : time this code is used is when the firewall isn't statically compiled : in, and it failed to load. I think that what I wrote doesn't match this statement. Since we set ipfw_in_kernel when we've loaded it or when it is in the kernel, the code gets executed when ipfw is in the kernel, by whatever path. The no clause of this case would then issue the warning, and turn off the ipfw stuff. In the case where ipfw isn't in the kernel (statically or dynatmically), no action is necessary to disable it. : > : > *) : > : > if [ -r "${ipfw_script}" ]; then : > : > ... : > : > elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then : > : > echo 'Warning: kernel has firewall functionality,' \ : > : > 'but firewall rules are not enabled.' : > : > echo ' All ip services are disabled.' : > : > fi : > : : > : Which doesn't help much if you are not sitting at the console, but you : > : be seen once you login and check the logfiles. (Been there, done that, : > : hence the reason for my passioned opinions on this subject. :) : > : > Agreed. But the warning is there still. : > : > : Except the chicken/egg problem, I'm not sure how to get the old : > : 'default' functionality and still allow someone to easily 'disable' the : > : kernel. (Again, I don't care for the ipfw_firewall_disable variable. : > : Also, the name is a bit redundant, but now I'm picking nits. :) :) :) : > : > You missed the no clause of the case. : > : > If you set ipfw_firewall_enable=no, it will disable ipfw even if it is : > compiled into the kernel. : : Yes, and I think having this is a good thing. However, what are the : default values for the variables? In previous mail I suggested: ipfw_enable=no ipfw_firewall_enable=yes Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message