From owner-freebsd-stable Fri Jan 25 5:52:59 2002 Delivered-To: freebsd-stable@freebsd.org Received: from proverbs.outreachnetworks.com (proverbs.outreachnetworks.com [65.196.249.4]) by hub.freebsd.org (Postfix) with SMTP id 7A29137B423 for ; Fri, 25 Jan 2002 05:52:45 -0800 (PST) Received: (qmail 73337 invoked from network); 25 Jan 2002 13:52:43 -0000 Received: from unknown (HELO phoncella.outreachnetworks.com) (64.108.58.96) by proverbs.outreachnetworks.com with SMTP; 25 Jan 2002 13:52:43 -0000 Received: (from elh@localhost) by phoncella.outreachnetworks.com (8.11.6/8.11.6) id g0PDqjT06502 for stable@FreeBSD.ORG; Fri, 25 Jan 2002 08:52:45 -0500 X-Authentication-Warning: phoncella.outreachnetworks.com: elh set sender to elh@outreachnetworks.com using -f Date: Fri, 25 Jan 2002 08:52:45 -0500 From: "Eric L. Howard" To: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020125085245.B5040@outreachnetworks.com> Mail-Followup-To: stable@FreeBSD.ORG References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net> <20020124220302.N87663@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020124220302.N87663@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Thu, Jan 24, 2002 at 10:03:02PM -0800 Favorite-Scripture: Romans 8:18 Theocratic-Rule-Advocate: http://www.crossmovement.com Registered-Secret-Agent: Agent Double-Naught Seven Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At a certain time, now past, Crist J. Clark spake thusly: > On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote: > > > > I recently got bit by this: I have firewall options configured into my > > kernel, and made the mistake of thinking that in order to disable > > this functionality to allow all traffic that I merely needed to remove the > > firewall_enable paramater from my rc.conf since firewall_enable is set to NO in > > /etc/defaults/rc.conf. > > > > This did not have the intended result of disabling the firewall, rather a > > default deny was applied. If firewall_enable is set to NO, wouldn't it make > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I > > missing something? > > > > Opinions welcome. > > I think this is a valid point. When 'firewall_enable="NO"' the > firewalling should be disabled with the net.inet.ip.fw.enable > sysctl(8). > > That said, it _may_ be a little late to make this change in > -STABLE. Although the name may be misleading, I think the rest of the > documentation is accurate. Besides all the stuff people have quoted > about the 'options IPFIREWALL' in the kernel, I think rc.conf(5) is > fairly clear, > > firewall_enable > (bool) Set to ``YES'' to load firewall rules at startup. > If the kernel was not built with IPFIREWALL, the ipfw ker- > nel module will be loaded. See also ipfilter_enable. > > In that it only says special things happen when it is "YES" and > doesn't say it is explicitly disabled when set to "NO." Since this is > such a security critical option, I really hesitate when it comes to > changing this in -STABLE. -CURRENT OTOH... Agreed, and since it is _explicitly_ stated that "YES" loads firewall rules at start-up, the _implicit_ assumption (good or bad [bad for Patrick in this case] when that section of rc.conf(5) is read) is that if I set "NO" then no firewall rules will be loaded at startup (I think we agree here). Kinda like Cisco ACLs...not shown, but we all know there's an implicit deny at the bottom that doesn't log info... I think the three pronged approach in the other sub-thread is a good idea to introduce into to -CURRENT...at the same time, what would it take to fixup the manpages in -STABLE with an explicit statement of what "NO" does? ~elh -- Eric L. Howard e l h @ o u t r e a c h n e t w o r k s . c o m ------------------------------------------------------------------------ www.OutreachNetworks.com 313.297.9900 ------------------------------------------------------------------------ Advocate of the Theocratic Rule To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message