Date: Sun, 27 Jan 2002 20:28:16 +0000 From: Nik Clayton <nik@freebsd.org> To: Nate Williams <nate@yogotech.com> Cc: Nik Clayton <nik@FreeBSD.ORG>, Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness Message-ID: <20020127202816.A40565@clan.nothing-going-on.org> In-Reply-To: <15441.36372.572274.479242@caddis.yogotech.com>; from nate@yogotech.com on Fri, Jan 25, 2002 at 09:55:48AM -0700 References: <20020124201411.A39351-100000@rockstar.stealthgeeks.net> <20020125092154.U53456@clan.nothing-going-on.org> <15441.36372.572274.479242@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jan 25, 2002 at 09:55:48AM -0700, Nate Williams wrote: > > > I recently got bit by this: I have firewall options configured into my > > > kernel, and made the mistake of thinking that in order to disable > > > this functionality to allow all traffic that I merely needed to remov= e the > > > firewall_enable paramater from my rc.conf since firewall_enable is se= t to NO in > > > /etc/defaults/rc.conf. > > >=20 > > > This did not have the intended result of disabling the firewall, rath= er a > > > default deny was applied. If firewall_enable is set to NO, wouldn't i= t make > > > more sense to have the init scripts set net.inet.ip.fw.enable to 0, o= r am I > > > missing something? > > >=20 > > > Opinions welcome. > >=20 > > I've got a hunch this needs to be a tri-state variable. > >=20 > > YES -- Load the firewall rules > > NO -- Do nothing, default policy is compiled in to the kernel > > OFF -- Explicitly set net.inet.ip.fw.enable=3D0 >=20 > Can you ever think of where 'NO' !=3D 'OFF'. I'm working on the console of a machine on a network that I don't trust and where I've configured the network interfaces in rc.conf but haven't yet configured the firewall rules. Which happens on a fairly regular basis for me. N --=20 FreeBSD: The Power to Serve http://www.freebsd.org/ (__) FreeBSD Documentation Project http://www.freebsd.org/docproj/ \\\'',) \/ \= ^ --- 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- .\._/= _) --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxUYuAACgkQk6gHZCw343VVMwCeJwQFRl+7bpm2Rb00oxDkvo+r QykAni7wnGvS/wCSvsXJqCT1+XuTqSCm =lOsP -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127202816.A40565>