From owner-freebsd-security@FreeBSD.ORG Mon Feb 9 01:23:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3FFD16A4CE for ; Mon, 9 Feb 2004 01:23:59 -0800 (PST) Received: from server.vk2pj.dyndns.org (c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17B7743D2F for ; Mon, 9 Feb 2004 01:23:59 -0800 (PST) (envelope-from peterjeremy@optushome.com.au) Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])i199NlPf053717; Mon, 9 Feb 2004 20:23:47 +1100 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.12.10/8.12.10/Submit) id i199NlT9053711; Mon, 9 Feb 2004 20:23:47 +1100 (EST) (envelope-from peter) Date: Mon, 9 Feb 2004 20:23:47 +1100 From: Peter Jeremy To: "Gogh, Ruben van" Message-ID: <20040209092347.GA43158@server.vk2pj.dyndns.org> References: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0FDD52D38220D611B7CC0004763B3744F80826@HNTS-04> User-Agent: Mutt/1.4.1i cc: "'freebsd-security@freebsd.org'" Subject: Re: IPFIREWALL_DEFAULT_TO_ACCEPT becomes default to deny X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2004 09:23:59 -0000 On Mon, Feb 09, 2004 at 08:32:36AM +0100, Gogh, Ruben van wrote: >Last friday I upgraded to 4.8-RELEASE-p15. As usual I set IPFIREWALL to >default accept in my kernel config file. >config & make weren't complaining so, installed the kernel, reboot and there >it was: >>IP packet filtering initialized, divert disabled, rule-based forwarding >enabled, default to deny, logging disabled >Output of ipfw show: >65535 0 0 deny ip from any to any This means IPFIREWALL_DEFAULT_TO_ACCEPT is not defined when /sys/netinet/ip_fw.c is compiled. Do you have "options INCLUDE_CONFIG_FILE"? If so, does "options IPFIREWALL_DEFAULT_TO_ACCEPT" show up in your kernel? Does /usr/obj/usr/src/sys/<>/opt_ipfw.h or /sys/compile/<>/opt_ipfw.h include the lines: #define IPFIREWALL 1 #define IPFIREWALL_DEFAULT_TO_ACCEPT 1 Does the kernelname in your dmesg.boot match your expected config? Have you wiped /usr/obj[/usr/src/sys/<>] or /sys/compile and re-built the kernel? Have you tried wiping /usr/src[/sys], re-extracting/cvsuping and re-building? >THERE are no such thing as settings in rc.conf like firewall_type="closed" >or what so ever. When I boot up with the older kernel it use default to >accept... What version is this kernel? >I triple checked the config file for the right settings. And, as I did >config && make depend && make install the system >wasn't complaing about a thing. I gather from this that you are using the "old" kernel build strategy. You are aware that this is missing a step: Neither "make depend" nor "make install" actually compiles the kernel. You need to do a "make" in between. Peter