Date: Mon, 24 Jun 2002 22:24:37 -0400 From: Chris Pepper <pepper@reppep.com> To: <billf@FreeBSD.org> Cc: Matthew Dillon <dillon@apollo.backplane.com>, freebsd-bugs@FreeBSD.org Subject: Re: kern/39814: GENERIC kernel should include ipfw Message-ID: <a05200107b93d847d628d@[64.81.19.109]> In-Reply-To: <200206250217.g5P2Hvt68844@freefall.freebsd.org> References: <200206250217.g5P2Hvt68844@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 7:17 PM -0700 02/6/24, <billf@FreeBSD.org> wrote: >Synopsis: GENERIC kernel should include ipfw > >State-Changed-From-To: open->closed >State-Changed-By: billf >State-Changed-When: Mon Jun 24 19:16:11 PDT 2002 >State-Changed-Why: >thanks to the joys of kernel modules, firewalling doesn't >require a kernel rebuild (or reboot). > >man kldload, man ipfw, see src/sys/modules/ipfw/Makefile > >IPFIREWALL_FORWARDing requiring a kernel rebuild is a >known issues and is being addressed already. > > >http://www.freebsd.org/cgi/query-pr.cgi?pr=39814 Then /usr/share/man/man7/firewall.7.gz should be updated, as it claims a kernel rebuild is required for firewall usage: >IPFW KERNEL CONFIGURATION > To use the ip firewall features of FreeBSD you must create a custom ker- > nel with the IPFIREWALL option set. The kernel defaults its firewall to > deny all packets by default, which means that if you do not load in a > permissive ruleset via /etc/rc.conf, rebooting into your new kernel will > take the network offline and will prevent you from being able to access > it if you are not sitting at the console. It is also quite common to > update a kernel to a new release and reboot before updating the binaries. > This can result in an incompatibility between the ipfw(8) program and the > kernel which prevents it from running in the boot sequence, also result- > ing in an inaccessible machine. Because of these problems the > IPFIREWALL_DEFAULT_TO_ACCEPT kernel option is also available which > changes the default firewall to pass through all packets. Note, however, > that this is a very dangerous option to set because it means your fire- > wall is disabled during booting. You should use this option while get- > ting up to speed with FreeBSD firewalling, but get rid of it once you > understand how it all works to close the loophole. There is a third > option called IPDIVERT which allows you to use the firewall to divert > packets to a user program and is necessary if you wish to use natd(8) to > give private internal networks access to the outside world. If you want > to be able to limit the bandwidth used by certain types of traffic, the > DUMMYNET option must be used to enable ipfw pipe rules. Chris Pepper -- Chris Pepper: <http://www.reppep.com/~pepper/> Rockefeller University: <http://www.rockefeller.edu/> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a05200107b93d847d628d>