Date: Fri, 01 Feb 2002 22:56:50 -0700 (MST) From: "M. Warner Losh" <imp@village.org> To: current@FreeBSD.ORG Subject: firewall_enable Message-ID: <20020201.225650.39719656.imp@village.org> In-Reply-To: <20020202033112.5490F406A@i8k.babbleon.org> References: <20020202005621.841F4406A@i8k.babbleon.org> <3C5B42FA.858F36A8@mindspring.com> <20020202033112.5490F406A@i8k.babbleon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Actually, there's a simple way around this that is failsafe. firewall_enable=YES What it deos now =NO Wide open =FAILSAFE Defaults to wired down. /etc/defaults/rc.conf firewall_enable=FAILSAFE That way, people that say firewall_enable=NO get what they want, those that say firewall_enable=YES aren't impacted, and those that do nothing get the default firewall behavior that is compiled into the kernel. The default behavior is controlled by kernel options, but genearlly is closed rather than open. A few extra comments in LINT, where people likely cut and paste their ipfw and/or ipfilter lines from anyway, should allow those paying attention to realize the consequences of their actions: # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to # any" and if you do not add other rules during startup to allow # access, YOU WILL LOCK YOURSELF OUT. If you do not setup firewall # rules in /etc/rc.conf (with firewall_enable=YES and # firewall_type=xxx), you must go to the machine and fix it from the # console. # # When setting up a machine for the first time, especially a remote # machine, with a firewall, you are strongly urged to add # IPFIREWALL_DEFAULT_TO_ACCEPT to your kernel and are sure that you're # firewall is properly setup in /etc/rc.conf before removing that # option. Remote machines can be hard to fix remotely if you do not # do this and fail to configure the firewall. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. # options IPFIREWALL #firewall SEE WARNINGS ABOVE options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020201.225650.39719656.imp>