Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 Jan 2002 20:46:08 -0800 (PST)
From:      Patrick Greenwell <patrick@stealthgeeks.net>
To:        David Wolfskill <david@catwhisker.org>
Cc:        stable@FreeBSD.ORG
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020124203931.Q39519-100000@rockstar.stealthgeeks.net>
In-Reply-To: <200201250434.g0P4Ymw21284@bunrab.catwhisker.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 24 Jan 2002, David Wolfskill wrote:

> >Opinions welcome.
>
> Well, it seems reasonably well-documented to me:
>
> g1-7(4.5-RC)[1] grep -A6 IPFIREWALL_DEF /usr/src/sys/i386/conf/LINT
> # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
> # allow everything.  Use with care, if a cracker can crash your
> # firewall machine, they can get to your protected machines.  However,
> # if you are using it as an as-needed filter for specific problems as
> # they arise, then this may be for you.  Changing the default to 'allow'
> # means that you won't get stuck if the kernel and /sbin/ipfw binary get
> # out of sync.
> --
> options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
> options         IPV6FIREWALL            #firewall for IPv6
> options         IPV6FIREWALL_VERBOSE
> options         IPV6FIREWALL_VERBOSE_LIMIT=100
> options         IPV6FIREWALL_DEFAULT_TO_ACCEPT
> options         IPDIVERT                #divert sockets
> options         IPFILTER                #ipfilter support
> g1-7(4.5-RC)[2]
>
>
> And from my perspective, defaulting to "deny" is what makes sense.

I'm not disputing that a default deny makes sense when a firewall is
enabled. What I find non-intuitive is that I have this "firewall_enable" knob
to twiddle in the system config files, and it doesn't work. If I set it to
"no" I still end up with a firewall set to default deny. In order to
actually get no firewall, I have to set firewall_enable to "yes" and then
set it to apply an "open" policy. It's not my intent to get into a pissing
match, I just think that's somewhat bass ackwards(sic).

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
                               Patrick Greenwell
                     Stealthgeeks,LLC. Operations Consulting
                          http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020124203931.Q39519-100000>