Date: Mon, 4 Mar 2002 08:24:39 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: "Jacques A. Vidrine" <nectar@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc.firewall rc.firewall6 Message-ID: <20020304082439.A87533@blossom.cjclark.org> In-Reply-To: <20020304144420.GB17282@hellblazer.nectar.cc>; from nectar@FreeBSD.org on Mon, Mar 04, 2002 at 08:44:20AM -0600 References: <200202281451.g1SEpgY83070@freefall.freebsd.org> <20020304144420.GB17282@hellblazer.nectar.cc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 04, 2002 at 08:44:20AM -0600, Jacques A. Vidrine wrote:
> On Thu, Feb 28, 2002 at 06:51:42AM -0800, Crist J. Clark wrote:
> > cjc 2002/02/28 06:51:42 PST
> >
> > Modified files: (Branch: RELENG_4)
> > etc rc.firewall rc.firewall6
> > Log:
> > MFC: Bring rc.firewall{,6} more in line with the word and spirit of
> > rc.conf(5) and the files' inline documentation.
> >
> > src/etc/rc.firewall 1.45
> > src/etc/rc.firewall6 1.11
>
> I missed the discussion about this change. Would you mind giving me
> some background, or just a pointer to the discussion?
>
> This seems to change the default (firewall_type="UNKNOWN") from
> disallowing 127/8 on interfaces other than lo0 (i.e. it was
> disallowed, but now it is allowed). I'm not sure that such a change
> is appropriate for -STABLE.
Not really. We don't explicitly disallow 127.0.0.0/8 since we are
denying it by default.
The "UNKNOWN" type is documented to mean,
# UNKNOWN - disables the loading of firewall rules.
According to the comments in rc.firewall. In the past, you still got,
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
When it was "UNKNOWN." That sure doesn't look like the loading of
firewall rules was disabled.
With the change, you get no rules loaded. This is actually "more
secure" and fail-safe since we don't even pass any traffic on the
loopback. If one desires the old "UNKNOWN" behavior, there is the
"closed" option which was documented in both rc.conf(5) and
rc.firewall, but was un implemented. I added it with this change.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020304082439.A87533>