Date: Sat, 01 Apr 2000 16:52:24 +0100 From: Brian 'Astrolox' Wojtczak <astrolox@innocent.com> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: NATD Translation Message-ID: <3.0.3.32.20000401165224.00a01dc0@mail.virgin.net> In-Reply-To: <Pine.BSF.4.10.10003291026370.72565-100000@home.offwhite.ne t> References: <38E21E40.2FA2352A@origen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>I have a correction to my last comment.
>
>I looked up the rc.conf setting for firewall=open and I think you can
>ignore it. It appears that I actually am using the wrong variable name.
>In the LINT kernel example config file you will find and explanation for
>it. Here is it.
>
># WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
># and if you do not add other rules during startup to allow access,
># YOU WILL LOCK YOURSELF OUT. It is suggested that you set
>firewall_type=open
># in /etc/rc.conf when first enabling this feature, then refining the
># firewall rules in /etc/rc.firewall after you've tested that the new
>kernel
># feature works properly.
>
>I must have had a typo when setting this up but it still worked. I was
>just being cautious without any real good reason. I am guessing that
>/etc/rc.firewall set up the rules just right for me so that it would work.
>Since it worked for me right away I did not spend any more time with it.
>
>I am now trying to learn more about it now.
>
No!!!
I have FreeBSD 3.4, I doubt that FreeBSD 4.0 is all that much different but
I might be wrong so I am talking about 3.4 here.
Firewall rules are a list. There must be at least one item in the list.
That item is placed in the list my the kernel. It is placed at the bottom
(end) of the list. The list is read from top to bottom and the first
matching rule is used. The fules that the kernel can add are either
Allow Everything ("allow ip from any to any") or Deny Everything ("deny
ip from any to any"). The rule added by the kernel is called the DEFAULT
RULE.
When "firewall_types=open" is used in the kernel configuration file
(MYKERNEL from now on) it means that the firewall will not drop any packets
BY DEFAULT. That is the DEFAULT RULE is Allow Everything. This is very
insecure, and should never be used, ever!!! (I belive)
When "firewall_types=open" is used in the startup configuration file
(/etc/rc.conf) it has a totally different meaning. It is the name of the
firewall type that the firewall rules script (/etc/rc.firewall) should use.
The options for this are defined in /etc/rc.firewall. I do not recomend
you use it, unless you don't care about a firewall. I recomend that you
edit /etc/rc.firewall and customize it to what you want - there is lots of
information about this on the internet, and I will be realising a tutorial
on it soon (at www.astrolox.com).
Hope that clears that up.
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Brian 'Astrolox' Wojtczak
"If ya going to do it, do it in style"
Wolrd Wide Web Page: http://www.astrolox.com/
EMail Address: astrolox@innocent.com
Personal RSA PGP Key - be aware of fake keys:
89 30 61 EC 2B CA C8 FA EC 11 87 6D DA 50 7C 6B
Bits: 2048 Id: 10E51DFD Date: 2000/02/16
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.20000401165224.00a01dc0>