Date: Thu, 20 Jun 2019 05:32:18 +0000 From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 238694] Configuring & using a customized IPFW rule set now causes additional rles to be (involuntarily) added Message-ID: <bug-238694-8303-GAEMUWtt9X@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-238694-8303@https.bugs.freebsd.org/bugzilla/> References: <bug-238694-8303@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238694 --- Comment #4 from rkoberman@gmail.com --- Bottom line default requirements: 1. System firewall must start with a deny-by-default rule in place when net= work starts 2. Both IPv4 and IPv6 must start 3. Mandatory packets must be allowed from network starts This includes loop= back for both IPv4 and IPv6 as well as support for several ICMPv6 and group addresses that are mandatory for default IPv6 function. When I suggested starting the firewall after the network had started, I was immediately (and correctly) shut down because of the security vulnerability this presents. That is why it needs proper documentation so you can insert rules between those that are mandatory. With spacing of every 100, there is= a lot of room. I have no answer for the issue of efficiency via the ordering of rules. Whi= le the time required to process these rules is very small, it is not zero. (Da= rn close for the trivial, stateless rules, though.) Since I agree the way it is done now is totally non-transparent, the only solution I can see is proper documentation. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238694-8303-GAEMUWtt9X>