Date: Tue, 29 Jan 2002 13:06:29 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Matthew Whelan <muttley@gotadsl.co.uk> Cc: "Thomas T. Veldhouse" <veldy@veldy.net>, andrew.cowan@hsd.com.au, "Nate Williams" <nate@yogotech.com>, "Freebsd-Stable" <freebsd-stable@FreeBSD.ORG> Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <200201292106.g0TL6T748013@apollo.backplane.com> References: <SQ5323WMGH94GE51S204VULSNEA.3c56fdd9@VicNBob>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:> Lets not make things even more confusing then they already are. The
:> answer to me is simple:
:>
:> If firewall_enable is "NO" and ipfw is active, /etc/rc* should
:> simply add a rule to allow all traffic. Simple. Problem solved.
:
:But the net effect of this would be the same as knocking out the firewall
:via sysctl - all traffic is passed; again, this is not fail-safe, which is
:exactly why there's so many messages in this thread and its family ;p
:
:In fact, this is exactly what the existing rc scripts do if:
:firewall_enable=YES
:firewall_type=open
Anyone who intends to use a compiled-in IPFW is going to have firweall
rules. If you forget to add your firewall rules you might as well not
have a network at all (i.e. the machine will be completely useless).
So there's no 'safety' issue in opening up the default closed firewall
in /etc/rc* if the person didn't specify a firewall ruleset.
The only safety issue we have is simply that we do not want to temporarily
open up the machine while it is in the booting problem. If the booting
process ends with firewall_enable="NO", then at that point we can safely
open up the machine (add the 'allow everything' rule).
I've been hit by this piece of nonsense before as well. I would like
to see the rules fixed so it doesn't matter what you compile into the
kernel -- if your firewall_enable is NO, then it should be as if you
don't have a file.
Simple, obvious, straightforward. All this other crap about having to
specify firewall_ options one way if you have the firewall compiled in
and another way if you don't is, well, crap. /etc/rc.conf should work
the same no matter how the kernel is compiled.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201292106.g0TL6T748013>