From owner-freebsd-current  Thu Feb 21  5:32:50 2002
Delivered-To: freebsd-current@freebsd.org
Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39])
	by hub.freebsd.org (Postfix) with ESMTP id 9130537B402
	for <current@freebsd.org>; Thu, 21 Feb 2002 05:32:45 -0800 (PST)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020221133245.IQVF2951.rwcrmhc53.attbi.com@blossom.cjclark.org>
          for <current@freebsd.org>; Thu, 21 Feb 2002 13:32:45 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g1LDWim79845
	for current@freebsd.org; Thu, 21 Feb 2002 05:32:44 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 21 Feb 2002 05:32:44 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: current@freebsd.org
Subject: HEADS UP: Minor rc.firewall{,6} Change
Message-ID: <20020221053244.S48401@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

I just made a few _minor_ changes to the rc.firewall{,6} scripts. The
vast majority of users will not be affected. However, since a few may
be, and this is a security issue with the potential to cause some
subtle breakage, I felt a small HEADS UP was in order. (For the very
security conscious and paranoid, note that this change can only
"fail-safe" if people apply it blindly. You'll be "more secure," but
it may break stuff.)

If you do not use firewalling or rc.firewall{,6} at all (that is, you
do not have 'firewall_enable="YES"' and/or
'ipv6_firewall_enable="YES"') or if you use custom rc.firewall{,6}
scripts, you are not affected. Two groups of people who use the
provided firewall scripts are affected:

  1) Those who put a rules file in the 'firewall_type' variable, or

  2) Those who put a non-existent type in the 'firewall_type' variable.

In both cases, you will no longer get the rules,

        100 pass all from any to any via lo0
        200 deny all from any to 127.0.0.0/8
        300 deny ip from 127.0.0.0/8 to any

In rc.firewall, and,

        100 pass all from any to any via lo0
        200 pass ipv6-icmp from :: to ff02::/16
        300 pass ipv6-icmp from fe80::/10 to fe80::/10
        400 pass ipv6-icmp from fe80::/10 to ff02::/16

In rc.firewall6 added to your firewall by the system scripts.

If you are in group (1), you should add whatever rules like these
_you_ want for _your_ site into your rule file. If you are in group
(2), use 'firewall_type="closed"' (which now works as advertised) will
give you the same effect as your current configuration.

The motivation for the change was mainly for the people in group
(1). Up until now, those rules were added _unconditionally_ by the
rc.network{,6} scripts. For people who want to define their own
rulesets outside of the simple ones provided in the rc.firewall{,6}
scripts, the system should make NO assumptions about your site's
policy and be adding rules.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message