From owner-freebsd-security Fri Oct 6 1:55:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id ED1B937B502 for ; Fri, 6 Oct 2000 01:54:45 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13hTHE-000794-00; Fri, 06 Oct 2000 10:54:48 +0200 Date: Fri, 6 Oct 2000 10:54:48 +0200 (IST) From: Roman Shterenzon To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re: Default Deny In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 6 Oct 2000, Dag-Erling Smorgrav wrote: > Roman Shterenzon writes: > > The ipfilter in freebsd seems cursed or abandoned. > > Example: this option is not documented. > > Another example: there're no hooks to start ipfilter from /etc/rc* > > eventhough there's PR: 20202 > > Put this in your rc.conf: > > firewall_enable="YES" > firewall_script="/etc/firewall" > > Where /etc/firewall is a shell script that sets up your firewall. Excerpt from /etc/rc.network: case ${firewall_enable} in [Yy][Ee][Ss]) if [ "${firewall_in_kernel}" -eq 0 ] && kldload ipfw; then firewall_in_kernel=1 echo "Kernel firewall module loaded." elif [ "${firewall_in_kernel}" -eq 0 ]; then echo "Warning: firewall kernel module failed to load." fi ;; esac .. So obviously this hook is not really right. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message