Date: Fri, 25 Jan 2002 10:39:11 -0800 (PST) From: Scott Campbell <scampbel@gvpl.ca> To: Nate Williams <nate@yogotech.com> Cc: Nik Clayton <nik@FreeBSD.ORG>, Patrick Greenwell <patrick@stealthgeeks.net>, <stable@FreeBSD.ORG> Subject: Re: Firewall config non-intuitiveness Message-ID: <Pine.BSF.4.32.0201251025450.41337-100000@pochta.gvpl.victoria.bc.ca> In-Reply-To: <15441.36372.572274.479242@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 Jan 2002, Nate Williams wrote: > > > I recently got bit by this: I have firewall options configured into my > > > kernel, and made the mistake of thinking that in order to disable > > > this functionality to allow all traffic that I merely needed to remove the > > > firewall_enable paramater from my rc.conf since firewall_enable is set to NO in > > > /etc/defaults/rc.conf. > > > > > > This did not have the intended result of disabling the firewall, rather a > > > default deny was applied. If firewall_enable is set to NO, wouldn't it make > > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I > > > missing something? > > > > > > Opinions welcome. > > > > I've got a hunch this needs to be a tri-state variable. > > > > YES -- Load the firewall rules > > NO -- Do nothing, default policy is compiled in to the kernel > > OFF -- Explicitly set net.inet.ip.fw.enable=0 > > Can you ever think of where 'NO' != 'OFF'. > > In the case of a wide-open firewall, 'NO' == 'OFF' gives the same > functionality, and in the case of the default firewall setup (everything > filtered), the computer can't be used for anything, so I'd consider it a > mistake to enable the firewall with no rules *AND* have the network > connections enabled. > > I think 'YES' and 'NO' would be fine. Do we NEED the "firewall_enable" in rc.conf? Since we are enabling it in the kernel then we don't really have the option to enable/disable like other stuff (sendmail,sshd...) in rc.conf. Remove "firewall_enable" from rc.conf and then note in rc.conf that "firewall_type" must be used to change the behaviour of ipfw if ipfw has been enable in the kernel. And in /etc/defaults/rc.conf have "firewall_type="closed". I am probably missing something so please feel free to enlighten. Scott E. Campbell _______________________________ Computer Operations Greater Victoria Public Library Victoria BC CANADA scampbel@gvpl.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.32.0201251025450.41337-100000>