Date: Mon, 28 Jan 2002 15:37:04 -0700 (MST) From: "M. Warner Losh" <imp@village.org> To: nate@yogotech.com Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <20020128.153704.109572342.imp@village.org> In-Reply-To: <15445.53283.957773.221016@caddis.yogotech.com> References: <15445.48617.802871.870971@caddis.yogotech.com> <20020128.151138.115627568.imp@village.org> <15445.53283.957773.221016@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <15445.53283.957773.221016@caddis.yogotech.com>
Nate Williams <nate@yogotech.com> writes:
: > My understanding of what I want and what you want, rendered in code
: > excerpt form is:
: >
: > # Initialize IP filtering using ipfw
: > #
: > if /sbin/ipfw -q flush > /dev/null 2>&1; then
: > ipfw_in_kernel=1
: > else
: > ipfw_in_kernel=0
: > fi
: >
: > case ${ipfw_enable} in
: > [Yy][Ee][Ss])
: > if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then
: > ipfw_in_kernel=1
: > echo 'Kernel firewall module loaded'
: > elif [ "${ipfw_in_kernel}" -eq 0 ]; then
: > echo 'Warning: firewall kernel module failed to load'
: > fi
: > ;;
: > esac
:
: This loads things automagically if 'firewall is enabled', and does
: nothing if if the 'firewall isn't enabled'.
No. It says if ipfw is enable, and not in the kernel, load it.
: > case ${ipfw_in_kernel} in
: > 1)
: > ... (indentation <<)
: > case ${ipfw_firewall_enable} in
:
: All of the above is just safety code.
This says that "I know that I have IPFW in the kernel, but I want to
disable its firewall functionality"
: > *)
: > if [ -r "${ipfw_script}" ]; then
: > ...
: > elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
: > echo 'Warning: kernel has firewall functionality,' \
: > 'but firewall rules are not enabled.'
: > echo ' All ip services are disabled.'
: > fi
:
: Which doesn't help much if you are not sitting at the console, but you
: be seen once you login and check the logfiles. (Been there, done that,
: hence the reason for my passioned opinions on this subject. :)
Agreed. But the warning is there still.
: Except the chicken/egg problem, I'm not sure how to get the old
: 'default' functionality and still allow someone to easily 'disable' the
: kernel. (Again, I don't care for the ipfw_firewall_disable variable.
: Also, the name is a bit redundant, but now I'm picking nits. :) :) :)
You missed the no clause of the case.
If you set ipfw_firewall_enable=no, it will disable ipfw even if it is
compiled into the kernel.
This is failsafe, and would be very easy to document.
Warner
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128.153704.109572342.imp>