From owner-freebsd-doc Thu Jan 2 11:33:39 2003 Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1033C37B401 for ; Thu, 2 Jan 2003 11:33:37 -0800 (PST) Received: from glow.radioactivedata.com (glow.radioactivedata.org [199.232.41.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 9DCD943EA9 for ; Thu, 2 Jan 2003 11:33:35 -0800 (PST) (envelope-from mbertsch@radioactivedata.org) Received: (qmail 23625 invoked by uid 7770); 2 Jan 2003 19:33:34 -0000 Received: from localhost.radioactivedata.org (HELO localhost) (127.0.0.1) by localhost.radioactivedata.org with SMTP; 2 Jan 2003 19:33:34 -0000 Date: Thu, 2 Jan 2003 14:33:34 -0500 (EST) From: Mike DeGraw-Bertsch X-X-Sender: To: Lucky Green Cc: "doc@FreeBSD.ORG" Subject: RE: IPFW: suicidal defaults In-Reply-To: <003901c2b294$9f341610$6601a8c0@VAIO650> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, While it's probably not the first place people look, if you look at the firewall section in the LINT configuration, you'll see: # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. So, without IPFIREWALL_DEFAULT_TO_ACCEPT, yep, you'll lock yourself out right quick, even without an rc.conf change. Not that I've done this myself last week or anything. ;) -Mike On Thu, 2 Jan 2003, Lucky Green wrote: > Nick wrote: > > Ummm, unless things have changed, just recompiling the > > kernel with > > 'options IPFIREWALL' won't enable your firewall. You need the > > corresponding option in /etc/rc.conf : > > > > firewall_enable="YES" > > > > If you recompiled your kernel with 'options IPFIREWALL' > > and didn't > > enable the above switch in /etc/rc.conf then your problem isn't > > the firewall blocking you. Chances are your kernel won't load > > properly on the machine the way you compiled it. > > I assure you that I didn't have firewall_enable="YES" set and yet the > firewall was turned on once my system came back from reboot. Stock 4.6.2 > install, security branch cvsup. I am looking at rc.* this very moment. > > If I had enabled the firewall in rc.conf, I would richly deserve > whatever punishment I got. :) > > One I finally got a hold of a guy on-site, his trying to use ping on the > server make it pretty obvious that that firewall was active. He added an > entry to rc.local that starts up the firewall with a more lenient rule > set, but I will look at /etc/defaults/rc.conf to figure out how IPFW is > supposed to be started up from rc.conf. > > I swear that the firewall came up without any changes to rc.conf, > otherwise I wouldn't have emailed you folks in the first place... > > --Lucky > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-doc" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message