ipfw question

Fri Mar 5 07:52:41 PST 2004

On  0, David Edwards <david at deassociates.com> allegedly wrote:
> Hello folks.. I have a quick question ipfw in a 4.8 server..
> 
> In /etc/rc.conf, if you set this - firewall_type="OPEN", is it also
> necessary for this options IPFIREWALL_DEFAULT_TO_ACCEPT in the kernel config
> file?

No it is not necessary. firewall_type="open" means just that, it is open
and everything is allowed.

> 
> I would think that using the first would be better because it can be
> removed, thus allowing no one access, including yourself if you aren't
> careful. Whereas the second method above, in the kernel config leaves it
> open if no rules exist or if all rules are flushed. So the the big question
> is, do I use both, one or the other? I know I can just do options
> IPFIREWALL, but I want to ensure no way of locking myself out at initial
> reboot, since this is a remote server. I am also aware of the risks of doing
> it remotely. But I need to do this.

You are headed in the right direction, start with the "open" option and
work from there, just be careful when you start adding rules and reloading
rulesets. Allow what you need, and let the default deny take care of
everything else.

> 
> Thanks for your help.
> 
> David Edwards
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.576 / Virus Database: 365 - Release Date: 1/30/2004
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> 
-------------------------------------------------------------
Nigel Houghton  Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.