Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Jan 2002 22:03:02 -0800
From:      "Crist J. Clark" <cjc@FreeBSD.ORG>
To:        Patrick Greenwell <patrick@stealthgeeks.net>
Cc:        stable@FreeBSD.ORG
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020124220302.N87663@blossom.cjclark.org>
In-Reply-To: <20020124201411.A39351-100000@rockstar.stealthgeeks.net>; from patrick@stealthgeeks.net on Thu, Jan 24, 2002 at 08:21:50PM -0800
References:  <20020124201411.A39351-100000@rockstar.stealthgeeks.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote:
> 
> I recently got bit by this: I have firewall options configured into my
> kernel, and made the mistake of thinking that in order to disable
> this functionality to allow all traffic that I merely needed to remove the
> firewall_enable paramater from my rc.conf since firewall_enable is set to NO in
> /etc/defaults/rc.conf.
> 
> This did not have the intended result of disabling the firewall, rather a
> default deny was applied. If firewall_enable is set to NO, wouldn't it make
> more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I
> missing something?
> 
> Opinions welcome.

I think this is a valid point. When 'firewall_enable="NO"' the
firewalling should be disabled with the net.inet.ip.fw.enable
sysctl(8).

That said, it _may_ be a little late to make this change in
-STABLE. Although the name may be misleading, I think the rest of the
documentation is accurate. Besides all the stuff people have quoted
about the 'options IPFIREWALL' in the kernel, I think rc.conf(5) is
fairly clear,

     firewall_enable
                   (bool) Set to ``YES'' to load firewall rules at startup.
                   If the kernel was not built with IPFIREWALL, the ipfw ker-
                   nel module will be loaded.  See also ipfilter_enable.

In that it only says special things happen when it is "YES" and
doesn't say it is explicitly disabled when set to "NO." Since this is
such a security critical option, I really hesitate when it comes to
changing this in -STABLE. -CURRENT OTOH...
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020124220302.N87663>