Date: Mon, 26 Feb 1996 14:46:55 +0100 From: Poul-Henning Kamp <phk@critter.tfs.com> To: michael butler <imb@scgt.oz.au> Cc: stable@freebsd.org, current@freebsd.org Subject: Re: -stable hangs at boot (fwd) Message-ID: <11445.825342415@critter.tfs.com> In-Reply-To: Your message of "Tue, 27 Feb 1996 00:41:15 %2B1100." <199602261341.AAA09032@asstdc.scgt.oz.au>
next in thread | previous in thread | raw e-mail | index | archive | help
> Poul-Henning Kamp writes:
>
> > > If you ^C your way to a shell prompt, there's a single rule that's in
> > > the firewall list saying "deny all from any to any". Courtesy of the
> > > same recent brain-damage in ipfw(8), you can't delete this rule either
> > > ("setsockopt failed").
>
> > If you call this "brain-damage" then you quite clearly don't need IPFW.
>
> I call it "brain-damage" to render a machine unbootable because it can't
> "see" it's _own_ interfaces. AFAIK, firewalls by default prevent packets
> passing _through_ them but are themselves permitted to talk to anything they
> have a route to (the previous behaviour with a default policy of "deny"). A
> direct connection (interface in the same box) constitutes having a "route to"
Well, this happens to be your view. I know machines where IPFW are being
used to restrict what users on the machine can do, this is only possible
if you filter >ALL< traffic, to and from the machine.
The IPFW is not a policy, it's a tool to implement policies. As such it
needs to be able to implement the widest possible range of policies.
> Further, there are no hints whatsoever in the current rc, sysconfig,
> netstart, et al to indicate that this (current condition) is the problem.
> Even if this (IMHO unusual) behaviour was documented it wouldn't be so much
> of a problem,
No, this is still on it's way.
You should be on -committers if you run -stable or -current. If you were,
you would have seen it.
--
Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team.
http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox.
whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc.
Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?11445.825342415>