ipfw question
Peter Pentchev
roam at ringlet.net
Thu Mar 4 22:57:03 PST 2004
On Thu, Mar 04, 2004 at 09:24:40PM -0500, David Edwards wrote:
> Hello folks.. I have a quick question ipfw in a 4.8 server..
>
> In /etc/rc.conf, if you set this - firewall_type="OPEN", is it also
> necessary for this options IPFIREWALL_DEFAULT_TO_ACCEPT in the kernel config
> file?
No, firewall_type="open" will work even without the default-to-accept
kernel config option.
The presence or absence of the kernel configuration option determines
what rule 65535 will be at startup: at the initialization of the ipfw
framework, it places a rule numbered 65535, which is either 'allow' if
the option is present, or 'deny' if it is not. The firewall_type="open"
rc.conf knob determines the behavior of the /etc/rc.firewall script
(which can be overridden by setting firewall_script="something else" in
/etc/rc.conf) - and rc.firewall's 'open' mode creates a rule numbered
65000. Since ipfw terminates the rule search on the first match, rule
65000 will be processed before rule 65535, and the kernel's default will
never be considered - firewall_type="open" trumps the presence or
absence of the IPFIREWALL_DEFAULT_TO_ACCEPT option.
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at sbnd.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
If this sentence were in Chinese, it would say something else.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040305/1798150c/attachment.bin
More information about the freebsd-security
mailing list