Date: Sun, 27 Jan 2002 00:46:56 -0700 (MST) From: "M. Warner Losh" <imp@village.org> To: nate@yogotech.com Cc: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020127.004656.53474822.imp@village.org> In-Reply-To: <15443.44156.595426.139371@caddis.yogotech.com> References: <15443.42601.781625.356369@caddis.yogotech.com> <20020127.002337.37328950.imp@village.org> <15443.44156.595426.139371@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <15443.44156.595426.139371@caddis.yogotech.com>
Nate Williams <nate@yogotech.com> writes:
: > You still haven't responded to my comment that I have it setup like
: > this on some of my boxes so that I can do things that don't fit in
: > well with the current firewall paradigm. Nor to my comment that we
: > shouldn't be changing a security feature in a fail*UN*safe way.
:
: Explain to me how disabling the firewall with 'FIREWALL_ENABLE=NO' can
: be unsafe?
Because I have the firewall compiled into my kernel with the setting
to not pass any packets. Due to some strange network stuff on my end,
I don't load the actual rules until way late in the boot process,
later than the normal firewall rules. I go from having the system not
passing any packets, to the system passing only those that the
firewall rules allow.
Most of the reason I do this is because I have to get data on usage
patterns from another system, and can't do that early enough in the
boot process. The rules I have are dynamic based on how much
bandwidth the coop has used so far this month and other conditions
that change from time to time. Right now we do default route AFTER we
load the firewall rules. However, the usage data is on another
machine, not on my local segment. We've also found that the wireless
link we have does better when bandwidth limited during bad weather
(again, the data isn't on the router, but on another machine not on
its local segment).
Another reason would be because we would be communicating with a host
that accepts only ipsec connections. This too happens after the
firewall rules are added. While we don't do this today, it won't be
too long into the future before we do do this.
: Can you show me *ANY* system that uses a closed down firewall that also
: has FIREWALL_ENABLE=NO? That would be the only 'safe->unsafe'
: transition, since otherwise the default firewall setup is wide-open.
rover.village.org has such a setup today.
: > I'll grant that I might be in the minority here, but I sure don't want
: > my the ability to use my firewall going away after my "next"
: > mergemaster change because you were helpful and unloaded/disabled
: > stuff for me.
:
: Fixing something that's broken is still fixing something. If you don't
: want a firewall, then why have it activated and enabled? (This is a
: rhetorical question.)
Because I don't want the automatic firewall rules to happen at the
place in the boot sequence where they happen now.
Warner
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127.004656.53474822.imp>