Date: Thu, 2 Jan 2003 14:33:34 -0500 (EST) From: Mike DeGraw-Bertsch <mbertsch@radioactivedata.org> To: Lucky Green <shamrock@cypherpunks.to> Cc: "doc@FreeBSD.ORG" <doc@FreeBSD.ORG> Subject: RE: IPFW: suicidal defaults Message-ID: <Pine.BSF.4.33.0301021431410.23590-100000@glow.usefulprojects.com> In-Reply-To: <003901c2b294$9f341610$6601a8c0@VAIO650>
next in thread | previous in thread | raw e-mail | index | archive | help
Howdy, While it's probably not the first place people look, if you look at the firewall section in the LINT configuration, you'll see: # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. So, without IPFIREWALL_DEFAULT_TO_ACCEPT, yep, you'll lock yourself out right quick, even without an rc.conf change. Not that I've done this myself last week or anything. ;) -Mike On Thu, 2 Jan 2003, Lucky Green wrote: > Nick wrote: > > Ummm, unless things have changed, just recompiling the > > kernel with > > 'options IPFIREWALL' won't enable your firewall. You need the > > corresponding option in /etc/rc.conf : > > > > firewall_enable="YES" > > > > If you recompiled your kernel with 'options IPFIREWALL' > > and didn't > > enable the above switch in /etc/rc.conf then your problem isn't > > the firewall blocking you. Chances are your kernel won't load > > properly on the machine the way you compiled it. > > I assure you that I didn't have firewall_enable="YES" set and yet the > firewall was turned on once my system came back from reboot. Stock 4.6.2 > install, security branch cvsup. I am looking at rc.* this very moment. > > If I had enabled the firewall in rc.conf, I would richly deserve > whatever punishment I got. :) > > One I finally got a hold of a guy on-site, his trying to use ping on the > server make it pretty obvious that that firewall was active. He added an > entry to rc.local that starts up the firewall with a more lenient rule > set, but I will look at /etc/defaults/rc.conf to figure out how IPFW is > supposed to be started up from rc.conf. > > I swear that the firewall came up without any changes to rc.conf, > otherwise I wouldn't have emailed you folks in the first place... > > --Lucky > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-doc" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0301021431410.23590-100000>