From owner-freebsd-stable Tue Jan 29 11:54:15 2002 Delivered-To: freebsd-stable@freebsd.org Received: from marvin.nildram.co.uk (marvin.nildram.co.uk [195.112.4.71]) by hub.freebsd.org (Postfix) with SMTP id 244C137B404 for ; Tue, 29 Jan 2002 11:54:09 -0800 (PST) Received: (qmail 22776 invoked from network); 29 Jan 2002 19:54:06 -0000 Received: from muttley.gotadsl.co.uk (HELO VicNBob) (213.208.123.26) by marvin.nildram.co.uk with SMTP; 29 Jan 2002 19:54:06 -0000 From: Matthew Whelan To: "Thomas T. Veldhouse" , Matthew Dillon Cc: andrew.cowan@hsd.com.au, "Nate Williams" , "Freebsd-Stable" Date: Tue, 29 Jan 2002 19:54:01 -0000 X-Priority: 3 (Normal) In-Reply-To: <200201290617.g0T6HO036172@apollo.backplane.com> Message-Id: Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" X-Mailer: Opera 6.0 build 1010 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Lets not make things even more confusing then they already are. The > answer to me is simple: > > If firewall_enable is "NO" and ipfw is active, /etc/rc* should > simply add a rule to allow all traffic. Simple. Problem solved. But the net effect of this would be the same as knocking out the firewall via sysctl - all traffic is passed; again, this is not fail-safe, which is exactly why there's so many messages in this thread and its family ;p In fact, this is exactly what the existing rc scripts do if: firewall_enable=YES firewall_type=open (which is what LINT tells you to do if you have ipfw compiled in but aren't ready to load your rules yet) I still think Warner's original post under the current subject was nearest the mark of the larger re-works proposed so far. Perhaps personally I'd tweak it to be like: ipfw_force_kldload=NO # Load kernel module if needed, regardless # of ipfw_load_rules setting below ipfw_load_rules=NO # Load ruleset specified below. Kernel # module will be loaded if needed # NOTE: IF NO AND IPFIREWALL IN KERNEL, YOU # WILL BE LOCKED OUT UNLESS KERNEL HAS # IPFIREWALL_DEFAULT_TO_ACCEPT ipfw_*, which I will assume below> ipfw_force_kldload can then happen before ifconfig, so policy-DENY systems don't have the insecure window when loading from a module. Behaviour of ipfw_load_rules=YES and ipfw_force_kldload=NO should be exactly as it is at present with firewall_enable=YES - module still gets loaded if it's needed. ipfw_load_rules is of course just firewall_enable with a less confusing name. There is no need for an option to disable ipfw entirely - LINT already tells you how to handle the situation where you have ipfw loaded Perhaps LINT should also remind users that ipfw_type=open is useless unless ipfw_load_rules=YES is also specified. Perhaps also the tip should be duplicated in rc.conf(5) I also quite like the idea of reducing the magic in the firewall_type/firewall_script pair... a couple of other proposals have come close but one bloated too far whereas the other removed existing functionality. I'd settle for: ipfw_type={open,closed,client,simple,script,ruleset} ipfw_script_file= ipfw_ruleset_file= Matthew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message