Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Jan 2003 08:09:19 -0800
From:      "Lucky Green" <shamrock@cypherpunks.to>
To:        <l.rizzo@iet.unipi.it>
Cc:        <doc@FreeBSD.org>
Subject:   IPFW: suicidal defaults
Message-ID:  <000101c2b279$51d33ba0$6601a8c0@VAIO650>

next in thread | raw e-mail | index | archive | help
Folks,
A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup
from the security branch) machine. Following the instruction in the
Handbook at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
I recompiled the kernel with the required options and rebooted the
machine.

What I would have expected to happen is for there to be a new kernel
that later on can be configured with firewall rules. But that is not
what happened. Instead, IPFW defaults to block all IP traffic unless
told otherwise: I was locked out of my machine! Which was on the other
side of the planet from where I was physically located.

Now I am all for shipping systems that are secure out-of-the-box, but
defaulting an install to locking the admin out of his machine is not a
nice thing to do. While I would argue that this should never be done, at
the very least such a major trap should be mentioned in the Handbook so
that administrators that follow the Handbook's step-by-step instructions
know that they have to do so from the console, since in doing so they
will lock themselves out remotely.

Therefore, could you please be so kind and prevent others from shooting
themselves into the foot as I did by

1) at least mention this danger *prominently* in the FreeBSD Handbook.

2) ideally set IPFW defaults so that they don't screw up people's lives.

Big thanks in advance,
--Lucky Green, an otherwise very happy FreeBSD user


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000101c2b279$51d33ba0$6601a8c0>