From owner-freebsd-current  Mon Feb 26 05:26:34 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id FAA18134
          for current-outgoing; Mon, 26 Feb 1996 05:26:34 -0800 (PST)
Received: from tfs.com (tfs.com [140.145.250.1])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id FAA18129
          Mon, 26 Feb 1996 05:26:32 -0800 (PST)
Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP
	id m0tr2wc-0003wSC; Mon, 26 Feb 96 05:26 PST
Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id OAA11366; Mon, 26 Feb 1996 14:26:25 +0100
X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol
To: michael butler <imb@scgt.oz.au>
cc: stable@freebsd.org, current@freebsd.org
Subject: Re: -stable hangs at boot (fwd) 
In-reply-to: Your message of "Mon, 26 Feb 1996 23:28:56 +1100."
             <199602261228.XAA07877@asstdc.scgt.oz.au> 
Date: Mon, 26 Feb 1996 14:26:23 +0100
Message-ID: <11364.825341183@critter.tfs.com>
From: Poul-Henning Kamp <phk@critter.tfs.com>
Sender: owner-current@freebsd.org
Precedence: bulk

> If you ^C your way to a shell prompt, there's a single rule that's in the
> firewall list saying "deny all from any to any". Courtesy of the same recent
> brain-damage in ipfw(8), you can't delete this rule either ("setsockopt
> failed").

If you call this "brain-damage" then you quite clearly don't need IPFW.

> I suspect the very same problem in -current.
> 
> The only workaround I can think of is to add "ipfw addf accept .."
> statements _prior_ to the running of ifconfig in netstart .. theory as yet
> untested ..

This is all correct, designed that way, and it is the way it should work,
according to all material I have on the subject.

If you have IPFW in your kernel, you don't want it to pass any packets 
you haven't approved in your filters.

QED:  Setup your filters before anything gets passed.

Wrt to the rule #65535 "deny all from any to any", then you are correct,
you cannot delete it.  It represents the default policy of "anything not
specifically allowed, is banned.

If you want to have another policy, they you must define rules that 
implement that policy, "65000 allow all from any to any" sounds like the
policy for your needs.

If you want to dispute this design, then please find at least one textbook
or capacity in the area who agree with you first, that will save a lot of
my time.

--
Poul-Henning Kamp           | phk@FreeBSD.ORG       FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk    Private mailbox.
whois: [PHK]                | phk@ref.tfs.com       TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.