Date: Mon, 26 Feb 1996 14:26:23 +0100 From: Poul-Henning Kamp <phk@critter.tfs.com> To: michael butler <imb@scgt.oz.au> Cc: stable@freebsd.org, current@freebsd.org Subject: Re: -stable hangs at boot (fwd) Message-ID: <11364.825341183@critter.tfs.com> In-Reply-To: Your message of "Mon, 26 Feb 1996 23:28:56 %2B1100." <199602261228.XAA07877@asstdc.scgt.oz.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> If you ^C your way to a shell prompt, there's a single rule that's in the
> firewall list saying "deny all from any to any". Courtesy of the same recent
> brain-damage in ipfw(8), you can't delete this rule either ("setsockopt
> failed").
If you call this "brain-damage" then you quite clearly don't need IPFW.
> I suspect the very same problem in -current.
>
> The only workaround I can think of is to add "ipfw addf accept .."
> statements _prior_ to the running of ifconfig in netstart .. theory as yet
> untested ..
This is all correct, designed that way, and it is the way it should work,
according to all material I have on the subject.
If you have IPFW in your kernel, you don't want it to pass any packets
you haven't approved in your filters.
QED: Setup your filters before anything gets passed.
Wrt to the rule #65535 "deny all from any to any", then you are correct,
you cannot delete it. It represents the default policy of "anything not
specifically allowed, is banned.
If you want to have another policy, they you must define rules that
implement that policy, "65000 allow all from any to any" sounds like the
policy for your needs.
If you want to dispute this design, then please find at least one textbook
or capacity in the area who agree with you first, that will save a lot of
my time.
--
Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox.
whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11364.825341183>