From owner-freebsd-stable Fri Jan 25 5:53:57 2002 Delivered-To: freebsd-stable@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id 18E4237B416; Fri, 25 Jan 2002 05:53:42 -0800 (PST) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 1D0F31A193; Fri, 25 Jan 2002 07:53:40 -0600 (CST) Message-ID: <002b01c1a5a7$67200e00$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Crist J. Clark" , "Patrick Greenwell" Cc: References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net> <20020124220302.N87663@blossom.cjclark.org> Subject: Re: Firewall config non-intuitiveness Date: Fri, 25 Jan 2002 07:51:33 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It works as expected using the GENERIC kernel. It only works the way complained about when you build your own custom kernel with IPFIREWALL and not with IPFIREWALL_DEFAULT_TO_ACCEPT. At that point, I think the admin needs to educate one self. I prefer to leave it as is, as it errs on the side of safety. There is a message to this respect right in the LINT configuration file. # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Crist J. Clark" To: "Patrick Greenwell" Cc: Sent: Friday, January 25, 2002 12:03 AM Subject: Re: Firewall config non-intuitiveness > On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote: > > > > I recently got bit by this: I have firewall options configured into my > > kernel, and made the mistake of thinking that in order to disable > > this functionality to allow all traffic that I merely needed to remove the > > firewall_enable paramater from my rc.conf since firewall_enable is set to NO in > > /etc/defaults/rc.conf. > > > > This did not have the intended result of disabling the firewall, rather a > > default deny was applied. If firewall_enable is set to NO, wouldn't it make > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I > > missing something? > > > > Opinions welcome. > > I think this is a valid point. When 'firewall_enable="NO"' the > firewalling should be disabled with the net.inet.ip.fw.enable > sysctl(8). > > That said, it _may_ be a little late to make this change in > -STABLE. Although the name may be misleading, I think the rest of the > documentation is accurate. Besides all the stuff people have quoted > about the 'options IPFIREWALL' in the kernel, I think rc.conf(5) is > fairly clear, > > firewall_enable > (bool) Set to ``YES'' to load firewall rules at startup. > If the kernel was not built with IPFIREWALL, the ipfw ker- > nel module will be loaded. See also ipfilter_enable. > > In that it only says special things happen when it is "YES" and > doesn't say it is explicitly disabled when set to "NO." Since this is > such a security critical option, I really hesitate when it comes to > changing this in -STABLE. -CURRENT OTOH... > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message