Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Jan 2002 16:08:46 -0800
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        "Thomas T. Veldhouse" <veldy@veldy.net>
Cc:        Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020125160846.A14394@blossom.cjclark.org>
In-Reply-To: <002b01c1a5a7$67200e00$3028680a@tgt.com>; from veldy@veldy.net on Fri, Jan 25, 2002 at 07:51:33AM -0600
References:  <20020124201411.A39351-100000@rockstar.stealthgeeks.net> <20020124220302.N87663@blossom.cjclark.org> <002b01c1a5a7$67200e00$3028680a@tgt.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 25, 2002 at 07:51:33AM -0600, Thomas T. Veldhouse wrote:
> It works as expected using the GENERIC kernel.

Because when there is no firewall in the kernel and firewall_enable is
not set to "YES", there is no firewall loaded. This behavior would not
change. In fact this can be an argument for the suggested change, it
would make behavior more consistent between systems without built-in
firewalling and ones with firewalling.

> It only works the way
> complained about when you build your own custom kernel with IPFIREWALL and
> not with IPFIREWALL_DEFAULT_TO_ACCEPT.  At that point, I think the admin
> needs to educate one self.  I prefer to leave it as is, as it errs on the
> side of safety.

I am not sure that making the system pretty much unusable really errs
on the side of safety. I guess brick, cut off from the world, is
pretty secure.  We always need to balance security versus other
factors and usability is one of the big ones.

> There is a message to this respect right in the LINT configuration file.
> 
> # WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
> # and if you do not add other rules during startup to allow access,
> # YOU WILL LOCK YOURSELF OUT.  It is suggested that you set
> firewall_type=open
> # in /etc/rc.conf when first enabling this feature, then refining the
> # firewall rules in /etc/rc.firewall after you've tested that the new kernel
> # feature works properly.

It doesn't actually mention that you need to set firewall_enable="YES"
here, but I really do not think there is a problem with the current
documentation either.

I _do_ think that having firewall_enable="NO" actually disable the
firewall would be more useful. Right now, there is no supported way to
boot up a system with firewalling built into the kernel and actually
disable the firewalling. I think that should be an option. That's
really what makes the change attractive to me. (I have wanted to do
this in the past, I had to enable firewalling, load an "open" rule
set, before I could flip 'net.inet.ip.fw.enable' off.)

> ----- Original Message -----
> From: "Crist J. Clark" <cjc@FreeBSD.ORG>
> To: "Patrick Greenwell" <patrick@stealthgeeks.net>
> Cc: <stable@FreeBSD.ORG>
> Sent: Friday, January 25, 2002 12:03 AM
> Subject: Re: Firewall config non-intuitiveness
> 
> 
> > On Thu, Jan 24, 2002 at 08:21:50PM -0800, Patrick Greenwell wrote:
> > >
> > > I recently got bit by this: I have firewall options configured into my
> > > kernel, and made the mistake of thinking that in order to disable
> > > this functionality to allow all traffic that I merely needed to remove
> the
> > > firewall_enable paramater from my rc.conf since firewall_enable is set
> to NO in
> > > /etc/defaults/rc.conf.
> > >
> > > This did not have the intended result of disabling the firewall, rather
> a
> > > default deny was applied. If firewall_enable is set to NO, wouldn't it
> make
> > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, or
> am I
> > > missing something?
> > >
> > > Opinions welcome.
> >
> > I think this is a valid point. When 'firewall_enable="NO"' the
> > firewalling should be disabled with the net.inet.ip.fw.enable
> > sysctl(8).
> >
> > That said, it _may_ be a little late to make this change in
> > -STABLE. Although the name may be misleading, I think the rest of the
> > documentation is accurate. Besides all the stuff people have quoted
> > about the 'options IPFIREWALL' in the kernel, I think rc.conf(5) is
> > fairly clear,
> >
> >      firewall_enable
> >                    (bool) Set to ``YES'' to load firewall rules at
> startup.
> >                    If the kernel was not built with IPFIREWALL, the ipfw
> ker-
> >                    nel module will be loaded.  See also ipfilter_enable.
> >
> > In that it only says special things happen when it is "YES" and
> > doesn't say it is explicitly disabled when set to "NO." Since this is
> > such a security critical option, I really hesitate when it comes to
> > changing this in -STABLE. -CURRENT OTOH...

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125160846.A14394>