Date: Mon, 4 Mar 2002 10:37:34 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: cjclark@alum.mit.edu Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc.firewall rc.firewall6 Message-ID: <20020304163734.GB17780@hellblazer.nectar.cc> In-Reply-To: <20020304082439.A87533@blossom.cjclark.org> References: <200202281451.g1SEpgY83070@freefall.freebsd.org> <20020304144420.GB17282@hellblazer.nectar.cc> <20020304082439.A87533@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 04, 2002 at 08:24:39AM -0800, Crist J. Clark wrote:
> On Mon, Mar 04, 2002 at 08:44:20AM -0600, Jacques A. Vidrine wrote:
> > On Thu, Feb 28, 2002 at 06:51:42AM -0800, Crist J. Clark wrote:
> > > cjc 2002/02/28 06:51:42 PST
> > >
> > > Modified files: (Branch: RELENG_4)
> > > etc rc.firewall rc.firewall6
> > > Log:
> > > MFC: Bring rc.firewall{,6} more in line with the word and spirit of
> > > rc.conf(5) and the files' inline documentation.
> > >
> > > src/etc/rc.firewall 1.45
> > > src/etc/rc.firewall6 1.11
> >
> > I missed the discussion about this change. Would you mind giving me
> > some background, or just a pointer to the discussion?
> >
> > This seems to change the default (firewall_type="UNKNOWN") from
> > disallowing 127/8 on interfaces other than lo0 (i.e. it was
> > disallowed, but now it is allowed). I'm not sure that such a change
> > is appropriate for -STABLE.
>
> Not really. We don't explicitly disallow 127.0.0.0/8 since we are
> denying it by default.
Ah yes, that's right.
> The "UNKNOWN" type is documented to mean,
>
> # UNKNOWN - disables the loading of firewall rules.
>
> According to the comments in rc.firewall. In the past, you still got,
>
> ${fwcmd} add 100 pass all from any to any via lo0
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
>
> When it was "UNKNOWN." That sure doesn't look like the loading of
> firewall rules was disabled.
Yes, I understand the reasoning for the change going forward, and I
agree with it. I'm just nervous about changes in the default behavior
of the firewall code in -STABLE.
> With the change, you get no rules loaded. This is actually "more
> secure" and fail-safe since we don't even pass any traffic on the
> loopback.
I didn't think about the default deny. This change pretty much breaks
machines with IPFIREWALL, but no setting for firewall_type. I don't
think I care :-)
> If one desires the old "UNKNOWN" behavior, there is the
> "closed" option which was documented in both rc.conf(5) and
> rc.firewall, but was un implemented. I added it with this change.
Thanks for the briefing!
Cheers,
--
Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020304163734.GB17780>