Date: Fri, 5 Mar 2004 10:49:15 -0500 From: Nigel Houghton <nigel@sourcefire.com> To: David Edwards <david@deassociates.com> Cc: freebsd-security@freebsd.org Subject: Re: ipfw question Message-ID: <20040305154915.GA551@enterprise.sfeng.sourcefire.com> In-Reply-To: <001801c40259$04be1ed0$6400a8c0@winxp1700> References: <20040304074442.GA571@kolic.net> <001801c40259$04be1ed0$6400a8c0@winxp1700>
next in thread | previous in thread | raw e-mail | index | archive | help
On 0, David Edwards <david@deassociates.com> allegedly wrote: > Hello folks.. I have a quick question ipfw in a 4.8 server.. > > In /etc/rc.conf, if you set this - firewall_type="OPEN", is it also > necessary for this options IPFIREWALL_DEFAULT_TO_ACCEPT in the kernel config > file? No it is not necessary. firewall_type="open" means just that, it is open and everything is allowed. > > I would think that using the first would be better because it can be > removed, thus allowing no one access, including yourself if you aren't > careful. Whereas the second method above, in the kernel config leaves it > open if no rules exist or if all rules are flushed. So the the big question > is, do I use both, one or the other? I know I can just do options > IPFIREWALL, but I want to ensure no way of locking myself out at initial > reboot, since this is a remote server. I am also aware of the risks of doing > it remotely. But I need to do this. You are headed in the right direction, start with the "open" option and work from there, just be careful when you start adding rules and reloading rulesets. Allow what you need, and let the default deny take care of everything else. > > Thanks for your help. > > David Edwards > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004 > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > ------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040305154915.GA551>