Date: Fri, 25 Jan 2002 18:10:19 +1100 From: "Andrew Cowan" <andrew.cowan@hsd.com.au> To: "Crist J. Clark" <cjc@FreeBSD.ORG>, "Patrick Greenwell" <patrick@stealthgeeks.net> Cc: <stable@FreeBSD.ORG> Subject: RE: Firewall config non-intuitiveness Message-ID: <NEBBJIKPNGEHLCBOLMDMOELEFOAC.andrew.cowan@hsd.com.au> In-Reply-To: <20020124220302.N87663@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote: > > > > I recently got bit by this: I have firewall options configured into my > > kernel, and made the mistake of thinking that in order to disable > > this functionality to allow all traffic that I merely needed to > remove the > > firewall_enable paramater from my rc.conf since firewall_enable > is set to NO in > > /etc/defaults/rc.conf. > > > > This did not have the intended result of disabling the > firewall, rather a > > default deny was applied. If firewall_enable is set to NO, > wouldn't it make > > more sense to have the init scripts set net.inet.ip.fw.enable > to 0, or am I > > missing something? > > > > Opinions welcome. > > I think this is a valid point. When 'firewall_enable="NO"' the > firewalling should be disabled with the net.inet.ip.fw.enable > sysctl(8). Sounds good - just print a big fat warning message when it does so :) > That said, it _may_ be a little late to make this change in > -STABLE. Although the name may be misleading, I think the rest of the > documentation is accurate. Besides all the stuff people have quoted > about the 'options IPFIREWALL' in the kernel, I think rc.conf(5) is > fairly clear, > > firewall_enable > (bool) Set to ``YES'' to load firewall rules > at startup. > If the kernel was not built with IPFIREWALL, > the ipfw ker- > nel module will be loaded. See also ipfilter_enable. > > In that it only says special things happen when it is "YES" and > doesn't say it is explicitly disabled when set to "NO." Since this is > such a security critical option, I really hesitate when it comes to > changing this in -STABLE. -CURRENT OTOH... > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBJIKPNGEHLCBOLMDMOELEFOAC.andrew.cowan>