Date: Tue, 29 Jan 2002 19:54:01 -0000 From: Matthew Whelan <muttley@gotadsl.co.uk> To: "Thomas T. Veldhouse" <veldy@veldy.net>, Matthew Dillon <dillon@apollo.backplane.com> Cc: andrew.cowan@hsd.com.au, "Nate Williams" <nate@yogotech.com>, "Freebsd-Stable" <freebsd-stable@FreeBSD.ORG> Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <SQ5323WMGH94GE51S204VULSNEA.3c56fdd9@VicNBob> In-Reply-To: <200201290617.g0T6HO036172@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Lets not make things even more confusing then they already are. The
> answer to me is simple:
>
> If firewall_enable is "NO" and ipfw is active, /etc/rc* should
> simply add a rule to allow all traffic. Simple. Problem solved.
But the net effect of this would be the same as knocking out the firewall
via sysctl - all traffic is passed; again, this is not fail-safe, which is
exactly why there's so many messages in this thread and its family ;p
In fact, this is exactly what the existing rc scripts do if:
firewall_enable=YES
firewall_type=open
(which is what LINT tells you to do if you have ipfw compiled in but aren't
ready to load your rules yet)
I still think Warner's original post under the current subject was nearest
the mark of the larger re-works proposed so far. Perhaps personally I'd
tweak it to be like:
ipfw_force_kldload=NO # Load kernel module if needed, regardless
# of ipfw_load_rules setting below
ipfw_load_rules=NO # Load ruleset specified below. Kernel
# module will be loaded if needed
# NOTE: IF NO AND IPFIREWALL IN KERNEL, YOU
# WILL BE LOCKED OUT UNLESS KERNEL HAS
# IPFIREWALL_DEFAULT_TO_ACCEPT
<and of course rename other firewall_* -> ipfw_*, which I will assume below>
ipfw_force_kldload can then happen before ifconfig, so policy-DENY systems
don't have the insecure window when loading from a module. Behaviour of
ipfw_load_rules=YES and ipfw_force_kldload=NO should be exactly as it is at
present with firewall_enable=YES - module still gets loaded if it's needed.
ipfw_load_rules is of course just firewall_enable with a less confusing
name.
There is no need for an option to disable ipfw entirely - LINT already tells
you how to handle the situation where you have ipfw loaded
Perhaps LINT should also remind users that ipfw_type=open is useless unless
ipfw_load_rules=YES is also specified. Perhaps also the tip should be
duplicated in rc.conf(5)
I also quite like the idea of reducing the magic in the
firewall_type/firewall_script pair... a couple of other proposals have come
close but one bloated too far whereas the other removed existing
functionality. I'd settle for:
ipfw_type={open,closed,client,simple,script,ruleset}
ipfw_script_file=<path to script>
ipfw_ruleset_file=<path to ruleset>
Matthew
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?SQ5323WMGH94GE51S204VULSNEA.3c56fdd9>