Date: Mon, 28 Jan 2002 15:46:56 -0700 (MST) From: "M. Warner Losh" <imp@village.org> To: nate@yogotech.com Cc: cjm2@earthling.net, stable@FreeBSD.ORG, n@nectar.cc Subject: Re: Proposed Solution To Recent "firewall_enable" Thread. [Please Read] Message-ID: <20020128.154656.123855750.imp@village.org> In-Reply-To: <15445.54136.731213.811969@caddis.yogotech.com> References: <15445.53283.957773.221016@caddis.yogotech.com> <20020128.153704.109572342.imp@village.org> <15445.54136.731213.811969@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message: <15445.54136.731213.811969@caddis.yogotech.com>
Nate Williams <nate@yogotech.com> writes:
: > : > # Initialize IP filtering using ipfw
: > : > #
: > : > if /sbin/ipfw -q flush > /dev/null 2>&1; then
: > : > ipfw_in_kernel=1
: > : > else
: > : > ipfw_in_kernel=0
: > : > fi
: > : >
: > : > case ${ipfw_enable} in
: > : > [Yy][Ee][Ss])
: > : > if [ "${ipfw_in_kernel}" -eq 0 ] && kldload ipfw; then
: > : > ipfw_in_kernel=1
: > : > echo 'Kernel firewall module loaded'
: > : > elif [ "${ipfw_in_kernel}" -eq 0 ]; then
: > : > echo 'Warning: firewall kernel module failed to load'
: > : > fi
: > : > ;;
: > : > esac
: > :
: > : This loads things automagically if 'firewall is enabled', and does
: > : nothing if if the 'firewall isn't enabled'.
: >
: > No. It says if ipfw is enable, and not in the kernel, load it.
:
: I'm in violent agreement with that.
:
: > : > case ${ipfw_in_kernel} in
: > : > 1)
At this point we know we have ipfw in the kernel, either statically or
dynamically loaded.
: > : > ... (indentation <<)
: > : > case ${ipfw_firewall_enable} in
: > :
: > : All of the above is just safety code.
: >
: > This says that "I know that I have IPFW in the kernel, but I want to
: > disable its firewall functionality"
:
: Actually, this says I know that I have firewall in the kernel. The only
: time this code is used is when the firewall isn't statically compiled
: in, and it failed to load.
I think that what I wrote doesn't match this statement. Since we set
ipfw_in_kernel when we've loaded it or when it is in the kernel, the
code gets executed when ipfw is in the kernel, by whatever path. The
no clause of this case would then issue the warning, and turn off the
ipfw stuff. In the case where ipfw isn't in the kernel (statically or
dynatmically), no action is necessary to disable it.
: > : > *)
: > : > if [ -r "${ipfw_script}" ]; then
: > : > ...
: > : > elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
: > : > echo 'Warning: kernel has firewall functionality,' \
: > : > 'but firewall rules are not enabled.'
: > : > echo ' All ip services are disabled.'
: > : > fi
: > :
: > : Which doesn't help much if you are not sitting at the console, but you
: > : be seen once you login and check the logfiles. (Been there, done that,
: > : hence the reason for my passioned opinions on this subject. :)
: >
: > Agreed. But the warning is there still.
: >
: > : Except the chicken/egg problem, I'm not sure how to get the old
: > : 'default' functionality and still allow someone to easily 'disable' the
: > : kernel. (Again, I don't care for the ipfw_firewall_disable variable.
: > : Also, the name is a bit redundant, but now I'm picking nits. :) :) :)
: >
: > You missed the no clause of the case.
: >
: > If you set ipfw_firewall_enable=no, it will disable ipfw even if it is
: > compiled into the kernel.
:
: Yes, and I think having this is a good thing. However, what are the
: default values for the variables?
In previous mail I suggested:
ipfw_enable=no
ipfw_firewall_enable=yes
Warner
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020128.154656.123855750.imp>