From owner-freebsd-questions@freebsd.org Sun Dec 9 22:22:04 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A98CA1333725 for ; Sun, 9 Dec 2018 22:22:04 +0000 (UTC) (envelope-from carlj@peak.org) Received: from filter02.peak.org (filter02.peak.org [207.55.16.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C981D802B7 for ; Sun, 9 Dec 2018 22:22:03 +0000 (UTC) (envelope-from carlj@peak.org) Received: from zmail-mta02.peak.org ([207.55.16.112]) by filter02.peak.org ({c0e096ac-ab76-477d-8a9d-eab3e47a6d30}) via TCP (outbound) with ESMTPS id 20181209222154339_0000 for ; Sun, 09 Dec 2018 14:21:54 -0800 X-RC-FROM: X-RC-RCPT: Received: from zmail-mta02.peak.org (localhost [127.0.0.1]) by zmail-mta02.peak.org (Postfix) with ESMTPS id B240D4C52B for ; Sun, 9 Dec 2018 14:21:53 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by zmail-mta02.peak.org (Postfix) with ESMTP id 9968D4C52C for ; Sun, 9 Dec 2018 14:21:53 -0800 (PST) Received: from zmail-mta02.peak.org ([127.0.0.1]) by localhost (zmail-mta02.peak.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id NNn7A7XIuNUW for ; Sun, 9 Dec 2018 14:21:53 -0800 (PST) Received: from mailproxy-lb-03.peak.org (mailproxy-lb-03.peak.org [207.55.17.93]) by zmail-mta02.peak.org (Postfix) with ESMTP id 72BC14C52B for ; Sun, 9 Dec 2018 14:21:53 -0800 (PST) Received: from localhost.localnet ([127.0.0.1] helo=elm.localnet) by elm.localnet with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91 (FreeBSD)) (envelope-from ) id 1gW7SR-000Pj9-SL for freebsd-questions@freebsd.org; Sun, 09 Dec 2018 14:21:51 -0800 Received: (from carlj@localhost) by elm.localnet (8.15.2/8.15.2/Submit) id wB9MLphj098898; Sun, 9 Dec 2018 14:21:51 -0800 (PST) (envelope-from carlj) From: Carl Johnson To: freebsd-questions@freebsd.org Subject: Re: Change IPFW default to allow References: <5C0D594C.2060407@gmail.com> <5C0D65CB.8080602@gmail.com> X-Clacks-Overhead: GNU Terry Pratchett Date: Sun, 09 Dec 2018 14:21:51 -0800 In-Reply-To: <5C0D65CB.8080602@gmail.com> (Ernie Luzar's message of "Sun, 09 Dec 2018 13:58:19 -0500") Message-ID: <865zw2pchs.fsf@elm.localnet> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain X-MAG-OUTBOUND: peakinternet.redcondor.net@207.55.16/22 X-Rspamd-Queue-Id: C981D802B7 X-Spamd-Result: default: False [-1.61 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.80)[-0.795,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-0.996,0]; DMARC_NA(0.00)[peak.org]; NEURAL_SPAM_SHORT(0.62)[0.621,0]; MX_GOOD(-0.01)[spam.peak.org,spam.peak.org,spam.peak.org,spam.peak.org,spam.peak.org,spam.peak.org]; IP_SCORE(-0.03)[asn: 13868(-0.05), country: US(-0.09)]; RCVD_IN_DNSWL_LOW(-0.10)[93.16.55.207.list.dnswl.org : 127.0.5.1]; R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:13868, ipnet:207.55.0.0/17, country:US]; RCVD_COUNT_SEVEN(0.00)[8]; FROM_EQ_ENVFROM(0.00)[] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Dec 2018 22:22:04 -0000 Ernie Luzar writes: > Michael Sierchio wrote: >> sysctl net.inet.ip.fw.default_to_accept=1 >> >> On Sun, Dec 9, 2018 at 10:08 AM Ernie Luzar wrote: >> >>> Is there a sysctl nib to reset the ipfw default from deny all to allow >>> all? Some thing that works without rebooting the system. > > > sysctl net.inet.ip.fw.default_to_accept=1 doesn't work. > unknown oid > > I believe that has to go in loader.conf and reboot the system to enable. > > MY problem is with ipf on host and ipfw in a vnet jail. Once kldload > for ipfw is completed it now impacts the host by blocking all traffic > before host ipf firewall gets the traffic. Putting pass all rules in > vnet jail ipfw only effects the vnet jail not the host. The ipfw manpage mentions that it can be modified by kenv, but only if the ipfw module is reloaded. I don't know if that is acceptable to you, but I also haven't tried it since I don't use ipfw. -- Carl Johnson carlj@peak.org