Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Jul 1997 09:52:55 +0300 (EET DST)
From:      Heikki Suonsivu <hsu@mail.clinet.fi>
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   kern/4141: ipfw default rule should be compile-time option
Message-ID:  <199707220652.JAA22970@katiska.clinet.fi>
Resent-Message-ID: <199707220700.AAA11180@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         4141
>Category:       kern
>Synopsis:       ipfw default rule should be compile-time option
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 22 00:00:03 PDT 1997
>Last-Modified:
>Originator:     Heikki Suonsivu
>Organization:
Clinet, Espoo, Finland
>Release:        FreeBSD 2.2-STABLE i386
>Environment:

2.2-STABLE.  Just supped to find out that ipfw kernel interface has changed
and kernel and ipfw have to be changed in sync.

>Description:

ipfw default rule was changed to deny over a year ago.  This is the right
thing in theory, but in practice it has been and still is a pain, causing
configuration mistake or kernel/ipfw command difference always be fatal and
requiring manual attendance.  Fine for pure firewalls and machines which
are not kept current, but we also ipfw for statistics collecting and
network problem solving tool on machines which are otherwise intended to be
open.  This problem particularly harmful with machines which are usually
managed remotely (I have more than 50 scattered around within 450km
radius).

This would be easy to fix by adding kernel compile option which would make
ipfw default rule "allow" instead of "deny".  It would not harm anyone but
would a lifesaver for us.

>How-To-Repeat:

Replace a -stable kernel from a month ago (I think) and -stable kernel from
yesterday sup reboot, in a machine which has rc.firewall as "open".  ipfw
command fails when trying to set default rule to allow, so no networking.

>Fix:
	
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707220652.JAA22970>