Date: Fri, 25 Jan 2002 16:14:50 +1100 From: "Andrew Cowan" <andrew.cowan@hsd.com.au> To: "Patrick Greenwell" <patrick@stealthgeeks.net>, "David Wolfskill" <david@catwhisker.org> Cc: <stable@FreeBSD.ORG> Subject: RE: Firewall config non-intuitiveness Message-ID: <NEBBJIKPNGEHLCBOLMDMCELDFOAC.andrew.cowan@hsd.com.au> In-Reply-To: <20020124203931.Q39519-100000@rockstar.stealthgeeks.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I agree, "firewall_enable" doesn't enable or disable the firewall (kernel
config) - it only specifies what firewall rules are applied. Calling it
"firewall_policy" would make more sense (or making "firewall_enable" = No
automatically apply the OPEN policy)
Even though it is easy to remember after you have done it once, it is bad
for user accessability. Just multiply it by 1,000 times and you can
understand why windows is still used more than unix.
-------------------------------------------
On Thu, 24 Jan 2002, David Wolfskill wrote:
> >Opinions welcome.
>
> Well, it seems reasonably well-documented to me:
>
> g1-7(4.5-RC)[1] grep -A6 IPFIREWALL_DEF /usr/src/sys/i386/conf/LINT
> # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
> # allow everything. Use with care, if a cracker can crash your
> # firewall machine, they can get to your protected machines. However,
> # if you are using it as an as-needed filter for specific problems as
> # they arise, then this may be for you. Changing the default to 'allow'
> # means that you won't get stuck if the kernel and /sbin/ipfw binary get
> # out of sync.
> --
> options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by
default
> options IPV6FIREWALL #firewall for IPv6
> options IPV6FIREWALL_VERBOSE
> options IPV6FIREWALL_VERBOSE_LIMIT=100
> options IPV6FIREWALL_DEFAULT_TO_ACCEPT
> options IPDIVERT #divert sockets
> options IPFILTER #ipfilter support
> g1-7(4.5-RC)[2]
>
>
> And from my perspective, defaulting to "deny" is what makes sense.
I'm not disputing that a default deny makes sense when a firewall is
enabled. What I find non-intuitive is that I have this "firewall_enable"
knob
to twiddle in the system config files, and it doesn't work. If I set it to
"no" I still end up with a firewall set to default deny. In order to
actually get no firewall, I have to set firewall_enable to "yes" and then
set it to apply an "open" policy. It's not my intent to get into a pissing
match, I just think that's somewhat bass ackwards(sic).
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
/\
Patrick Greenwell
Stealthgeeks,LLC. Operations Consulting
http://www.stealthgeeks.net
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NEBBJIKPNGEHLCBOLMDMCELDFOAC.andrew.cowan>