From owner-freebsd-stable Thu Jan 24 20:46:16 2002 Delivered-To: freebsd-stable@freebsd.org Received: from rockstar.stealthgeeks.net (h-66-134-120-173.LSANCA54.covad.net [66.134.120.173]) by hub.freebsd.org (Postfix) with SMTP id EA62537B402 for ; Thu, 24 Jan 2002 20:46:08 -0800 (PST) Received: (qmail 39722 invoked by uid 1001); 25 Jan 2002 04:46:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jan 2002 04:46:08 -0000 Date: Thu, 24 Jan 2002 20:46:08 -0800 (PST) From: Patrick Greenwell To: David Wolfskill Cc: stable@FreeBSD.ORG Subject: Re: Firewall config non-intuitiveness In-Reply-To: <200201250434.g0P4Ymw21284@bunrab.catwhisker.org> Message-ID: <20020124203931.Q39519-100000@rockstar.stealthgeeks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 24 Jan 2002, David Wolfskill wrote: > >Opinions welcome. > > Well, it seems reasonably well-documented to me: > > g1-7(4.5-RC)[1] grep -A6 IPFIREWALL_DEF /usr/src/sys/i386/conf/LINT > # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to > # allow everything. Use with care, if a cracker can crash your > # firewall machine, they can get to your protected machines. However, > # if you are using it as an as-needed filter for specific problems as > # they arise, then this may be for you. Changing the default to 'allow' > # means that you won't get stuck if the kernel and /sbin/ipfw binary get > # out of sync. > -- > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default > options IPV6FIREWALL #firewall for IPv6 > options IPV6FIREWALL_VERBOSE > options IPV6FIREWALL_VERBOSE_LIMIT=100 > options IPV6FIREWALL_DEFAULT_TO_ACCEPT > options IPDIVERT #divert sockets > options IPFILTER #ipfilter support > g1-7(4.5-RC)[2] > > > And from my perspective, defaulting to "deny" is what makes sense. I'm not disputing that a default deny makes sense when a firewall is enabled. What I find non-intuitive is that I have this "firewall_enable" knob to twiddle in the system config files, and it doesn't work. If I set it to "no" I still end up with a firewall set to default deny. In order to actually get no firewall, I have to set firewall_enable to "yes" and then set it to apply an "open" policy. It's not my intent to get into a pissing match, I just think that's somewhat bass ackwards(sic). /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Patrick Greenwell Stealthgeeks,LLC. Operations Consulting http://www.stealthgeeks.net \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message