Date: Thu, 2 Jan 2003 11:41:11 -0700 (MST) From: Nick Rogness <nick@rogness.net> To: Lucky Green <shamrock@cypherpunks.to> Cc: l.rizzo@iet.unipi.it, <doc@FreeBSD.ORG> Subject: Re: IPFW: suicidal defaults Message-ID: <20030102112914.P4054-100000@skywalker.rogness.net> In-Reply-To: <000101c2b279$51d33ba0$6601a8c0@VAIO650>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 2 Jan 2003, Lucky Green wrote: > Folks, > A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup > from the security branch) machine. Following the instruction in the > Handbook at > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html > I recompiled the kernel with the required options and rebooted the > machine. > > What I would have expected to happen is for there to be a new kernel > that later on can be configured with firewall rules. But that is not > what happened. Instead, IPFW defaults to block all IP traffic unless > told otherwise: I was locked out of my machine! Which was on the other > side of the planet from where I was physically located. Do some research and testing before installing something at such a remote location. Basic SysAdmin-101 concepts. > > Now I am all for shipping systems that are secure out-of-the-box, but > defaulting an install to locking the admin out of his machine is not a > nice thing to do. While I would argue that this should never be done, at > the very least such a major trap should be mentioned in the Handbook so > that administrators that follow the Handbook's step-by-step instructions > know that they have to do so from the console, since in doing so they > will lock themselves out remotely. > Therefore, could you please be so kind and prevent others from shooting > themselves into the foot as I did by > > 1) at least mention this danger *prominently* in the FreeBSD Handbook. > Agreed. There should be a mention. However, someone has to write it. Instead of bitchin about it, go ahead and submit a change (bug report). > 2) ideally set IPFW defaults so that they don't screw up people's lives. > This is probably won't happen nor should it. A lot of firewalls come with default to deny. It is not as unusual as you would think. In fact, it makes sense to block by default. Nick Rogness <nick@rogness.net> -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBPhSH0bvBDHaKKeQcEQJq4gCff11v7424NNafwIzKw7C/n5itNVAAn0vX 7AtuEb+7b8VWBUaDeUWP43b+ =2HIW -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030102112914.P4054-100000>