From owner-freebsd-bugs  Thu Jul 20 16:20: 8 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 86F7D37B863
	for <freebsd-bugs@FreeBSD.org>; Thu, 20 Jul 2000 16:20:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id QAA20250;
	Thu, 20 Jul 2000 16:20:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4])
	by hub.freebsd.org (Postfix) with ESMTP id 8FBF637B66F
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 20 Jul 2000 16:17:46 -0700 (PDT)
	(envelope-from Arjan.deVet@adv.iae.nl)
Received: (from uucp@localhost)
	by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id BAA15733
	for FreeBSD-gnats-submit@freebsd.org; Fri, 21 Jul 2000 01:17:45 +0200 (MET DST)
Received: by adv.iae.nl (Postfix, from userid 100)
	id A01E522E3; Fri, 21 Jul 2000 01:17:38 +0200 (CEST)
Message-Id: <20000720231738.A01E522E3@adv.iae.nl>
Date: Fri, 21 Jul 2000 01:17:38 +0200 (CEST)
From: Arjan de Vet <Arjan.deVet@adv.iae.nl>
Reply-To: Arjan.deVet@adv.iae.nl
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: conf/20075: option IPFILTER_DEFAULT_BLOCK not in LINT (ipfilter)
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         20075
>Category:       conf
>Synopsis:       option IPFILTER_DEFAULT_BLOCK not in LINT (ipfilter)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 20 16:20:02 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Arjan de Vet
>Release:        FreeBSD 4.1-RC i386
>Organization:
-
>Environment:

FreeBSD adv.iae.nl 4.1-RC FreeBSD 4.1-RC #31: Thu Jul 20 18:50:34 CEST
2000     root@adv.iae.nl:/usr/src/sys/compile/ADV  i386

>Description:

Option IPFILTER_DEFAULT_BLOCK is not listed in LINT. It makes ipfilter
block all packets by default which I consider a very useful option from
a security point of view: failing to load filter rules will deny any
network traffic instead of allowing all traffic.

>How-To-Repeat:

-
>Fix:

Index: LINT
===================================================================
RCS file: /home/freebsd/CVS/src/sys/i386/conf/Attic/LINT,v
retrieving revision 1.749.2.17
diff -u -r1.749.2.17 LINT
--- LINT	2000/07/20 19:07:02	1.749.2.17
+++ LINT	2000/07/20 23:11:23
@@ -536,6 +536,7 @@
 options 	IPDIVERT		#divert sockets
 options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
+options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
 options 	IPSTEALTH		#support for stealth forwarding
 options 	TCPDEBUG
 


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message