Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Jan 2002 09:21:54 +0000
From:      Nik Clayton <nik@freebsd.org>
To:        Patrick Greenwell <patrick@stealthgeeks.net>
Cc:        stable@freebsd.org
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020125092154.U53456@clan.nothing-going-on.org>
In-Reply-To: <20020124201411.A39351-100000@rockstar.stealthgeeks.net>; from patrick@stealthgeeks.net on Thu, Jan 24, 2002 at 08:21:50PM -0800
References:  <20020124201411.A39351-100000@rockstar.stealthgeeks.net>

next in thread | previous in thread | raw e-mail | index | archive | help

--qRqofxetdBO9L27H
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote:
> I recently got bit by this: I have firewall options configured into my
> kernel, and made the mistake of thinking that in order to disable
> this functionality to allow all traffic that I merely needed to remove the
> firewall_enable paramater from my rc.conf since firewall_enable is set to=
 NO in
> /etc/defaults/rc.conf.
>=20
> This did not have the intended result of disabling the firewall, rather a
> default deny was applied. If firewall_enable is set to NO, wouldn't it ma=
ke
> more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am=
 I
> missing something?
>=20
> Opinions welcome.

I've got a hunch this needs to be a tri-state variable.

   YES -- Load the firewall rules
   NO  -- Do nothing, default policy is compiled in to the kernel
   OFF -- Explicitly set net.inet.ip.fw.enable=3D0

or similar.

N
--=20
FreeBSD: The Power to Serve      http://www.freebsd.org/               (__)
FreeBSD Documentation Project    http://www.freebsd.org/docproj/    \\\'',)
                                                                      \/  \=
 ^
   --- 15B8 3FFC DDB4 34B0 AA5F  94B7 93A8 0764 2C37 E375 ---         .\._/=
_)

--qRqofxetdBO9L27H
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxRI7EACgkQk6gHZCw343XZ7gCghCxcHt3+HkhXOI2UyKhgXm7+
IFEAnA06hbRxvgsu4T/i3L3ejI431B7y
=U9AP
-----END PGP SIGNATURE-----

--qRqofxetdBO9L27H--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125092154.U53456>