Date: Mon, 28 Jan 2002 15:40:56 -0700 From: Nate Williams <nate@yogotech.com> To: "M. Warner Losh" <imp@village.org> Cc: nate@yogotech.com, cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <15445.54136.731213.811969@caddis.yogotech.com> In-Reply-To: <20020128.153704.109572342.imp@village.org> References: <15445.48617.802871.870971@caddis.yogotech.com> <20020128.151138.115627568.imp@village.org> <15445.53283.957773.221016@caddis.yogotech.com> <20020128.153704.109572342.imp@village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> : > # Initialize IP filtering using ipfw
> : > #
> : > if /sbin/ipfw -q flush > /dev/null 2>&1; then
> : > ipfw_in_kernel=1
> : > else
> : > ipfw_in_kernel=0
> : > fi
> : >
> : > case ${ipfw_enable} in
> : > [Yy][Ee][Ss])
> : > if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then
> : > ipfw_in_kernel=1
> : > echo 'Kernel firewall module loaded'
> : > elif [ "${ipfw_in_kernel}" -eq 0 ]; then
> : > echo 'Warning: firewall kernel module failed to load'
> : > fi
> : > ;;
> : > esac
> :
> : This loads things automagically if 'firewall is enabled', and does
> : nothing if if the 'firewall isn't enabled'.
>
> No. It says if ipfw is enable, and not in the kernel, load it.
I'm in violent agreement with that.
> : > case ${ipfw_in_kernel} in
> : > 1)
> : > ... (indentation <<)
> : > case ${ipfw_firewall_enable} in
> :
> : All of the above is just safety code.
>
> This says that "I know that I have IPFW in the kernel, but I want to
> disable its firewall functionality"
Actually, this says I know that I have firewall in the kernel. The only
time this code is used is when the firewall isn't statically compiled
in, and it failed to load.
> : > *)
> : > if [ -r "${ipfw_script}" ]; then
> : > ...
> : > elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
> : > echo 'Warning: kernel has firewall functionality,' \
> : > 'but firewall rules are not enabled.'
> : > echo ' All ip services are disabled.'
> : > fi
> :
> : Which doesn't help much if you are not sitting at the console, but you
> : be seen once you login and check the logfiles. (Been there, done that,
> : hence the reason for my passioned opinions on this subject. :)
>
> Agreed. But the warning is there still.
>
> : Except the chicken/egg problem, I'm not sure how to get the old
> : 'default' functionality and still allow someone to easily 'disable' the
> : kernel. (Again, I don't care for the ipfw_firewall_disable variable.
> : Also, the name is a bit redundant, but now I'm picking nits. :) :) :)
>
> You missed the no clause of the case.
>
> If you set ipfw_firewall_enable=no, it will disable ipfw even if it is
> compiled into the kernel.
Yes, and I think having this is a good thing. However, what are the
default values for the variables?
Nate
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15445.54136.731213.811969>