Date: Tue, 22 Jul 1997 09:52:55 +0300 (EET DST) From: Heikki Suonsivu <hsu@mail.clinet.fi> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/4141: ipfw default rule should be compile-time option Message-ID: <199707220652.JAA22970@katiska.clinet.fi> Resent-Message-ID: <199707220700.AAA11180@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4141 >Category: kern >Synopsis: ipfw default rule should be compile-time option >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Jul 22 00:00:03 PDT 1997 >Last-Modified: >Originator: Heikki Suonsivu >Organization: Clinet, Espoo, Finland >Release: FreeBSD 2.2-STABLE i386 >Environment: 2.2-STABLE. Just supped to find out that ipfw kernel interface has changed and kernel and ipfw have to be changed in sync. >Description: ipfw default rule was changed to deny over a year ago. This is the right thing in theory, but in practice it has been and still is a pain, causing configuration mistake or kernel/ipfw command difference always be fatal and requiring manual attendance. Fine for pure firewalls and machines which are not kept current, but we also ipfw for statistics collecting and network problem solving tool on machines which are otherwise intended to be open. This problem particularly harmful with machines which are usually managed remotely (I have more than 50 scattered around within 450km radius). This would be easy to fix by adding kernel compile option which would make ipfw default rule "allow" instead of "deny". It would not harm anyone but would a lifesaver for us. >How-To-Repeat: Replace a -stable kernel from a month ago (I think) and -stable kernel from yesterday sup reboot, in a machine which has rc.firewall as "open". ipfw command fails when trying to set default rule to allow, so no networking. >Fix: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707220652.JAA22970>