From owner-freebsd-stable Thu Jan 24 21:15:15 2002 Delivered-To: freebsd-stable@freebsd.org Received: from hsd.com.au (CPE-144-132-42-44.vic.bigpond.net.au [144.132.42.44]) by hub.freebsd.org (Postfix) with ESMTP id A4F4737B400 for ; Thu, 24 Jan 2002 21:15:08 -0800 (PST) Received: from ariel by hsd.com.au with SMTP (MDaemon.v3.0.1.R) for ; Fri, 25 Jan 2002 16:14:50 +1100 Reply-To: From: "Andrew Cowan" To: "Patrick Greenwell" , "David Wolfskill" Cc: Subject: RE: Firewall config non-intuitiveness Date: Fri, 25 Jan 2002 16:14:50 +1100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020124203931.Q39519-100000@rockstar.stealthgeeks.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal X-MDaemon-Deliver-To: stable@FreeBSD.ORG X-Return-Path: andrew.cowan@hsd.com.au X-MDRcpt-To: stable@FreeBSD.ORG Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I agree, "firewall_enable" doesn't enable or disable the firewall (kernel config) - it only specifies what firewall rules are applied. Calling it "firewall_policy" would make more sense (or making "firewall_enable" = No automatically apply the OPEN policy) Even though it is easy to remember after you have done it once, it is bad for user accessability. Just multiply it by 1,000 times and you can understand why windows is still used more than unix. ------------------------------------------- On Thu, 24 Jan 2002, David Wolfskill wrote: > >Opinions welcome. > > Well, it seems reasonably well-documented to me: > > g1-7(4.5-RC)[1] grep -A6 IPFIREWALL_DEF /usr/src/sys/i386/conf/LINT > # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to > # allow everything. Use with care, if a cracker can crash your > # firewall machine, they can get to your protected machines. However, > # if you are using it as an as-needed filter for specific problems as > # they arise, then this may be for you. Changing the default to 'allow' > # means that you won't get stuck if the kernel and /sbin/ipfw binary get > # out of sync. > -- > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default > options IPV6FIREWALL #firewall for IPv6 > options IPV6FIREWALL_VERBOSE > options IPV6FIREWALL_VERBOSE_LIMIT=100 > options IPV6FIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT #divert sockets > options IPFILTER #ipfilter support > g1-7(4.5-RC)[2] > > > And from my perspective, defaulting to "deny" is what makes sense. I'm not disputing that a default deny makes sense when a firewall is enabled. What I find non-intuitive is that I have this "firewall_enable" knob to twiddle in the system config files, and it doesn't work. If I set it to "no" I still end up with a firewall set to default deny. In order to actually get no firewall, I have to set firewall_enable to "yes" and then set it to apply an "open" policy. It's not my intent to get into a pissing match, I just think that's somewhat bass ackwards(sic). /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ /\ Patrick Greenwell Stealthgeeks,LLC. Operations Consulting http://www.stealthgeeks.net \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ \/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message