NATD: net.inet.ip.fw.default_to_accept="1" vs firewall_type="OPEN"
gmx at ross.cx
Fri Oct 11 03:41:09 UTC 2013
On Fri, 11 Oct 2013 04:38:45 +0200, Chris Stankevitz
<chrisstankevitz at gmail.com> wrote:
> Handbook section 31.9 describes the setup of NAT.
> Section 31.9.3 suggests net.inet.ip.fw.default_to_accept="1" "during
> the first attempts to setup a firewall and NAT gateway".
> Section 31.9.5 suggests I "specify a predefined firewall ruleset that
> allows anything in" with firewall_type="OPEN"
> Question: What is the difference between these two configurations (or
> where can I go to learn the difference between the two)?
> Thank you,
ipfw always has one default rule, standard is
65535 deny ip from any to any
If you set net.inet.ip.fw.default_to_accept="1", you get
65535 allow ip from any to any
Specifing firewall_type="OPEN" gives you an additional rule
65000 allow ip from any to any
Now, if for example you execute ``ipfw flush'', thus deleting all rules,
this deletes rule 65000, but the default rule stays in effect.
With ...default_to_accept="0" ( standard setting ) you now have disabled
all network connections and locked yourself out if you're working remote.
More information about the freebsd-questions