Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 2 Jan 2003 11:41:11 -0700 (MST)
From:      Nick Rogness <nick@rogness.net>
To:        Lucky Green <shamrock@cypherpunks.to>
Cc:        l.rizzo@iet.unipi.it, <doc@FreeBSD.ORG>
Subject:   Re: IPFW: suicidal defaults
Message-ID:  <20030102112914.P4054-100000@skywalker.rogness.net>
In-Reply-To: <000101c2b279$51d33ba0$6601a8c0@VAIO650>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 2 Jan 2003, Lucky Green wrote:

> Folks,
> A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup
> from the security branch) machine. Following the instruction in the
> Handbook at
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
> I recompiled the kernel with the required options and rebooted the
> machine.
>
> What I would have expected to happen is for there to be a new kernel
> that later on can be configured with firewall rules. But that is not
> what happened. Instead, IPFW defaults to block all IP traffic unless
> told otherwise: I was locked out of my machine! Which was on the other
> side of the planet from where I was physically located.

	Do some research and testing before installing something at such a
	remote location.  Basic SysAdmin-101 concepts.

>
> Now I am all for shipping systems that are secure out-of-the-box, but
> defaulting an install to locking the admin out of his machine is not a
> nice thing to do. While I would argue that this should never be done, at
> the very least such a major trap should be mentioned in the Handbook so
> that administrators that follow the Handbook's step-by-step instructions
> know that they have to do so from the console, since in doing so they
> will lock themselves out remotely.
> Therefore, could you please be so kind and prevent others from shooting
> themselves into the foot as I did by
>
> 1) at least mention this danger *prominently* in the FreeBSD Handbook.
>

	Agreed.  There should be a mention.  However, someone has to write
	it.  Instead of bitchin about it, go ahead and submit a change
	(bug report).


> 2) ideally set IPFW defaults so that they don't screw up people's lives.
>

	This is probably won't happen nor should it.

	A lot of firewalls come with default to deny.  It is not as
	unusual as you would think.  In fact, it makes sense to block by
	default.

Nick Rogness <nick@rogness.net>



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPhSH0bvBDHaKKeQcEQJq4gCff11v7424NNafwIzKw7C/n5itNVAAn0vX
7AtuEb+7b8VWBUaDeUWP43b+
=2HIW
-----END PGP SIGNATURE-----



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030102112914.P4054-100000>