I just made a few _minor_ changes to the rc.firewall{,6} scripts. The
vast majority of users will not be affected. However, since a few may
be, and this is a security issue with the potential to cause some
subtle breakage, I felt a small HEADS UP was in order. (For the very
security conscious and paranoid, note that this change can only
"fail-safe" if people apply it blindly. You'll be "more secure," but
it may break stuff.)

If you do not use firewalling or rc.firewall{,6} at all (that is, you
do not have 'firewall_enable="YES"' and/or
'ipv6_firewall_enable="YES"') or if you use custom rc.firewall{,6}
scripts, you are not affected. Two groups of people who use the
provided firewall scripts are affected:

  1) Those who put a rules file in the 'firewall_type' variable, or

  2) Those who put a non-existent type in the 'firewall_type' variable.

In both cases, you will no longer get the rules,

        100 pass all from any to any via lo0
        200 deny all from any to
        300 deny ip from to any

In rc.firewall, and,

        100 pass all from any to any via lo0
        200 pass ipv6-icmp from :: to ff02::/16
        300 pass ipv6-icmp from fe80::/10 to fe80::/10
        400 pass ipv6-icmp from fe80::/10 to ff02::/16

In rc.firewall6 added to your firewall by the system scripts.

If you are in group (1), you should add whatever rules like these
_you_ want for _your_ site into your rule file. If you are in group
(2), use 'firewall_type="closed"' (which now works as advertised) will
give you the same effect as your current configuration.

The motivation for the change was mainly for the people in group
(1). Up until now, those rules were added _unconditionally_ by the
rc.network{,6} scripts. For people who want to define their own
rulesets outside of the simple ones provided in the rc.firewall{,6}
scripts, the system should make NO assumptions about your site's
policy and be adding rules.
Crist J. Clark                     |     [EMAIL PROTECTED]
                                   |     [EMAIL PROTECTED]
http://people.freebsd.org/~cjc/    |     [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to