Date: Thu, 2 Jan 2003 08:09:19 -0800 From: "Lucky Green" <shamrock@cypherpunks.to> To: <l.rizzo@iet.unipi.it> Cc: <doc@FreeBSD.org> Subject: IPFW: suicidal defaults Message-ID: <000101c2b279$51d33ba0$6601a8c0@VAIO650>
next in thread | raw e-mail | index | archive | help
Folks, A few days ago, I tried to enable IPFW on my FreeBSD 4.6.2 (fresh cvssup from the security branch) machine. Following the instruction in the Handbook at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html I recompiled the kernel with the required options and rebooted the machine. What I would have expected to happen is for there to be a new kernel that later on can be configured with firewall rules. But that is not what happened. Instead, IPFW defaults to block all IP traffic unless told otherwise: I was locked out of my machine! Which was on the other side of the planet from where I was physically located. Now I am all for shipping systems that are secure out-of-the-box, but defaulting an install to locking the admin out of his machine is not a nice thing to do. While I would argue that this should never be done, at the very least such a major trap should be mentioned in the Handbook so that administrators that follow the Handbook's step-by-step instructions know that they have to do so from the console, since in doing so they will lock themselves out remotely. Therefore, could you please be so kind and prevent others from shooting themselves into the foot as I did by 1) at least mention this danger *prominently* in the FreeBSD Handbook. 2) ideally set IPFW defaults so that they don't screw up people's lives. Big thanks in advance, --Lucky Green, an otherwise very happy FreeBSD user To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000101c2b279$51d33ba0$6601a8c0>