Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Jan 2003 23:26:17 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Nick Rogness <nick@rogness.net>
Cc:        Lucky Green <shamrock@cypherpunks.to>, l.rizzo@iet.unipi.it, doc@freebsd.org
Subject:   Re: IPFW: suicidal defaults
Message-ID:  <20030103212617.GC2505@gothmog.gr>
In-Reply-To: <20030102112914.P4054-100000@skywalker.rogness.net>
References:  <000101c2b279$51d33ba0$6601a8c0@VAIO650> <20030102112914.P4054-100000@skywalker.rogness.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-01-02 11:41, Nick Rogness <nick@rogness.net> wrote:
> On Thu, 2 Jan 2003, Lucky Green wrote:
> > Folks,
> > A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup
> > from the security branch) machine. Following the instruction in the
> > Handbook at
> > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
> > I recompiled the kernel with the required options and rebooted the
> > machine.
> >
> > What I would have expected to happen is for there to be a new kernel
> > that later on can be configured with firewall rules. But that is not
> > what happened. Instead, IPFW defaults to block all IP traffic unless
> > told otherwise: I was locked out of my machine! Which was on the other
> > side of the planet from where I was physically located.
> >
> > Now I am all for shipping systems that are secure out-of-the-box, but
> > defaulting an install to locking the admin out of his machine is not a
> > nice thing to do. While I would argue that this should never be done, at
> > the very least such a major trap should be mentioned in the Handbook so
> > that administrators that follow the Handbook's step-by-step instructions
> > know that they have to do so from the console, since in doing so they
> > will lock themselves out remotely.
> > Therefore, could you please be so kind and prevent others from shooting
> > themselves into the foot as I did by
> >
> > 1) at least mention this danger *prominently* in the FreeBSD Handbook.
>
> 	Agreed.  There should be a mention.  However, someone has to write
> 	it.  Instead of bitchin about it, go ahead and submit a change
> 	(bug report).

Oh but it is documented.  The sample configuration that one can find
at /usr/src/sys/i386/conf/LINT includes a comment:

# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT.  It is suggested that you set firewall_type=open
# in /etc/rc.conf when first enabling this feature, then refining the
# firewall rules in /etc/rc.firewall after you've tested that the new kernel
# feature works properly.

Ignoring this is not a fault of the documentation :(

- Giorgos


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030103212617.GC2505>