From owner-freebsd-doc  Thu Jan  2 11:11:49 2003
Delivered-To: freebsd-doc@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0631137B401
	for <doc@FreeBSD.ORG>; Thu,  2 Jan 2003 11:11:48 -0800 (PST)
Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5234943EC5
	for <doc@FreeBSD.ORG>; Thu,  2 Jan 2003 11:11:47 -0800 (PST)
	(envelope-from nick@rogness.net)
Received: from skywalker.rogness.net (localhost [127.0.0.1])
	by skywalker.rogness.net (8.12.5/8.12.5) with ESMTP id h02JCh4X004330;
	Thu, 2 Jan 2003 12:12:43 -0700 (MST)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by skywalker.rogness.net (8.12.5/8.12.5/Submit) with ESMTP id h02JCgx7004327;
	Thu, 2 Jan 2003 12:12:42 -0700 (MST)
X-Authentication-Warning: skywalker.rogness.net: nick owned process doing -bs
Date: Thu, 2 Jan 2003 12:12:38 -0700 (MST)
From: Nick Rogness <nick@rogness.net>
To: Lucky Green <shamrock@cypherpunks.to>
Cc: l.rizzo@iet.unipi.it, <doc@FreeBSD.ORG>
Subject: RE: IPFW: suicidal defaults
In-Reply-To: <003101c2b28f$f2b0b690$6601a8c0@VAIO650>
Message-ID: <20030102120754.P4054-100000@skywalker.rogness.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-doc.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-doc>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-doc>
X-Loop: FreeBSD.org

On Thu, 2 Jan 2003, Lucky Green wrote:

> >
> > 	This is probably won't happen nor should it.
> >
> > 	A lot of firewalls come with default to deny.  It is not as
> > 	unusual as you would think.  In fact, it makes sense to block by
> > 	default.
>
> I don't have a problem with the firewall shipping with a default to
> deny. What I am having a problem with is the firewall becoming active by
> simply recompiling the kernel with firewall options included and without
> the user first having to enable the firewall in one of the rc.* config
> files. Either ship the firewall with a default to allow (sub-optimal) or
> require the user to enable the firewall by creating an entry in rc.*,
> but please, please require some positive act from the administrator
> other than compiling in kernel options before that beast goes live.

	Ummm, unless things have changed, just recompiling the kernel with
	'options IPFIREWALL' won't enable your firewall.  You need the
	corresponding option in /etc/rc.conf :

		firewall_enable="YES"

	If you recompiled your kernel with 'options IPFIREWALL' and didn't
	enable the above switch in /etc/rc.conf then your problem isn't
	the firewall blocking you.  Chances are your kernel won't load
	properly on the machine the way you compiled it.


Nick Rogness <nick@rogness.net>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message