From owner-freebsd-current Mon Feb 26 05:46:58 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id FAA19298 for current-outgoing; Mon, 26 Feb 1996 05:46:58 -0800 (PST) Received: from tfs.com (tfs.com [140.145.250.1]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id FAA19293 Mon, 26 Feb 1996 05:46:57 -0800 (PST) Received: from critter.tfs.com by tfs.com (smail3.1.28.1) with SMTP id m0tr3GR-0003wgC; Mon, 26 Feb 96 05:46 PST Received: from localhost.tfs.com (localhost.tfs.com [127.0.0.1]) by critter.tfs.com (8.6.12/8.6.12) with SMTP id OAA11447; Mon, 26 Feb 1996 14:46:56 +0100 X-Authentication-Warning: critter.tfs.com: Host localhost.tfs.com didn't use HELO protocol To: michael butler cc: stable@freebsd.org, current@freebsd.org Subject: Re: -stable hangs at boot (fwd) In-reply-to: Your message of "Tue, 27 Feb 1996 00:41:15 +1100." <199602261341.AAA09032@asstdc.scgt.oz.au> Date: Mon, 26 Feb 1996 14:46:55 +0100 Message-ID: <11445.825342415@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-current@freebsd.org Precedence: bulk > Poul-Henning Kamp writes: > > > > If you ^C your way to a shell prompt, there's a single rule that's in > > > the firewall list saying "deny all from any to any". Courtesy of the > > > same recent brain-damage in ipfw(8), you can't delete this rule either > > > ("setsockopt failed"). > > > If you call this "brain-damage" then you quite clearly don't need IPFW. > > I call it "brain-damage" to render a machine unbootable because it can't > "see" it's _own_ interfaces. AFAIK, firewalls by default prevent packets > passing _through_ them but are themselves permitted to talk to anything they > have a route to (the previous behaviour with a default policy of "deny"). A > direct connection (interface in the same box) constitutes having a "route to" Well, this happens to be your view. I know machines where IPFW are being used to restrict what users on the machine can do, this is only possible if you filter >ALL< traffic, to and from the machine. The IPFW is not a policy, it's a tool to implement policies. As such it needs to be able to implement the widest possible range of policies. > Further, there are no hints whatsoever in the current rc, sysconfig, > netstart, et al to indicate that this (current condition) is the problem. > Even if this (IMHO unusual) behaviour was documented it wouldn't be so much > of a problem, No, this is still on it's way. You should be on -committers if you run -stable or -current. If you were, you would have seen it. -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.