Actually, there's a simple way around this that is failsafe.

firewall_enable=YES        What it deos now
                =NO        Wide open
                =FAILSAFE  Defaults to wired down.



That way, people that say firewall_enable=NO get what they want, those
that say firewall_enable=YES aren't impacted, and those that do
nothing get the default firewall behavior that is compiled into the
kernel.  The default behavior is controlled by kernel options, but
genearlly is closed rather than open.

A few extra comments in LINT, where people likely cut and paste their
ipfw and/or ipfilter lines from anyway, should allow those paying
attention to realize the consequences of their actions:

# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
# logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to
# any" and if you do not add other rules during startup to allow
# access, YOU WILL LOCK YOURSELF OUT.  If you do not setup firewall
# rules in /etc/rc.conf (with firewall_enable=YES and
# firewall_type=xxx), you must go to the machine and fix it from the
# console.
# When setting up a machine for the first time, especially a remote
# machine, with a firewall, you are strongly urged to add
# IPFIREWALL_DEFAULT_TO_ACCEPT to your kernel and are sure that you're
# firewall is properly setup in /etc/rc.conf before removing that
# option.  Remote machines can be hard to fix remotely if you do not
# do this and fail to configure the firewall.
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# allow everything.  Use with care, if a cracker can crash your
# firewall machine, they can get to your protected machines.  However,
# if you are using it as an as-needed filter for specific problems as
# they arise, then this may be for you.  Changing the default to 'allow'
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
# out of sync.
options         IPFIREWALL              #firewall SEE WARNINGS ABOVE
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_FORWARD      #enable transparent proxy support
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to