From owner-freebsd-stable  Thu Jan 24 22: 3:49 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12])
	by hub.freebsd.org (Postfix) with ESMTP id EF33637B400
	for <stable@freebsd.org>; Thu, 24 Jan 2002 22:03:46 -0800 (PST)
Received: from dialup-209.245.139.214.dial1.sanjose1.level3.net ([209.245.139.214] helo=blossom.cjclark.org)
	by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16TzSc-0003CO-00; Thu, 24 Jan 2002 22:03:42 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id g0P632l93958;
	Thu, 24 Jan 2002 22:03:02 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 24 Jan 2002 22:03:02 -0800
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Patrick Greenwell <patrick@stealthgeeks.net>
Cc: stable@FreeBSD.ORG
Subject: Re: Firewall config non-intuitiveness
Message-ID: <20020124220302.N87663@blossom.cjclark.org>
References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020124201411.A39351-100000@rockstar.stealthgeeks.net>; from patrick@stealthgeeks.net on Thu, Jan 24, 2002 at 08:21:50PM -0800
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote:
> 
> I recently got bit by this: I have firewall options configured into my
> kernel, and made the mistake of thinking that in order to disable
> this functionality to allow all traffic that I merely needed to remove the
> firewall_enable paramater from my rc.conf since firewall_enable is set to NO in
> /etc/defaults/rc.conf.
> 
> This did not have the intended result of disabling the firewall, rather a
> default deny was applied. If firewall_enable is set to NO, wouldn't it make
> more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I
> missing something?
> 
> Opinions welcome.

I think this is a valid point. When 'firewall_enable="NO"' the
firewalling should be disabled with the net.inet.ip.fw.enable
sysctl(8).

That said, it _may_ be a little late to make this change in
-STABLE. Although the name may be misleading, I think the rest of the
documentation is accurate. Besides all the stuff people have quoted
about the 'options IPFIREWALL' in the kernel, I think rc.conf(5) is
fairly clear,

     firewall_enable
                   (bool) Set to ``YES'' to load firewall rules at startup.
                   If the kernel was not built with IPFIREWALL, the ipfw ker-
                   nel module will be loaded.  See also ipfilter_enable.

In that it only says special things happen when it is "YES" and
doesn't say it is explicitly disabled when set to "NO." Since this is
such a security critical option, I really hesitate when it comes to
changing this in -STABLE. -CURRENT OTOH...
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message