From owner-freebsd-stable Thu Jan 24 20:35:30 2002 Delivered-To: freebsd-stable@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id 4621037B400 for ; Thu, 24 Jan 2002 20:34:53 -0800 (PST) Received: (from david@localhost) by bunrab.catwhisker.org (8.11.6/8.11.6) id g0P4Ymw21284; Thu, 24 Jan 2002 20:34:48 -0800 (PST) (envelope-from david) Date: Thu, 24 Jan 2002 20:34:48 -0800 (PST) From: David Wolfskill Message-Id: <200201250434.g0P4Ymw21284@bunrab.catwhisker.org> To: patrick@stealthgeeks.net, stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness In-Reply-To: <20020124201411.A39351-100000@rockstar.stealthgeeks.net> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >Date: Thu, 24 Jan 2002 20:21:50 -0800 (PST) >From: Patrick Greenwell >I recently got bit by this: I have firewall options configured into my >kernel, and made the mistake of thinking that in order to disable >this functionality to allow all traffic that I merely needed to remove the >firewall_enable paramater from my rc.conf since firewall_enable is set to NO in >/etc/defaults/rc.conf. >This did not have the intended result of disabling the firewall, rather a >default deny was applied. If firewall_enable is set to NO, wouldn't it make >more sense to have the init scripts set net.inet.ip.fw.enable to 0, or am I >missing something? >Opinions welcome. Well, it seems reasonably well-documented to me: g1-7(4.5-RC)[1] grep -A6 IPFIREWALL_DEF /usr/src/sys/i386/conf/LINT # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. -- options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPV6FIREWALL #firewall for IPv6 options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT=100 options IPV6FIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #divert sockets options IPFILTER #ipfilter support g1-7(4.5-RC)[2] And from my perspective, defaulting to "deny" is what makes sense. The only peculiarity I see is that the "default deny" rule doesn't log, so I need to be sure and create my own rule that denies & logs -- not much of a concern, in the grand scheme of things. To achieve the effect you wished, changing the firewall_type in /etc/rc.conf to "open" would have probably worked a little better for you. Cheers, david -- David H. Wolfskill david@catwhisker.org I believe it would be irresponsible (and thus, unethical) for me to advise, recommend, or support the use of any product that is or depends on any Microsoft product for any purpose other than personal amusement. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message