From shamrock@pakastelohi.cypherpunks.to Fri Jan 3 23:53:35 2003 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C396937B401 for ; Fri, 3 Jan 2003 23:53:35 -0800 (PST) Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58B3343EA9 for ; Fri, 3 Jan 2003 23:53:35 -0800 (PST) (envelope-from shamrock@pakastelohi.cypherpunks.to) Received: by pakastelohi.cypherpunks.to (Postfix, from userid 1001) id 39DA73648A; Sat, 4 Jan 2003 08:53:23 +0100 (CET) Message-Id: <20030104075323.39DA73648A@pakastelohi.cypherpunks.to> Date: Sat, 4 Jan 2003 08:53:23 +0100 (CET) From: Lucky Green Reply-To: Lucky Green To: FreeBSD-gnats-submit@freebsd.org Cc: shamrock@cypherpunks.to Subject: Handbook: missing IPFW foot-shooting warning X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 46747 >Category: docs >Synopsis: Handbook: missing IPFW foot-shooting warning >Confidential: no >Severity: non-critical >Priority: low >Responsible: keramida >State: closed >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Jan 04 00:00:22 PST 2003 >Closed-Date: Sat Jan 04 01:43:11 PST 2003 >Last-Modified: Sat Jan 04 01:43:11 PST 2003 >Originator: Lucky Green >Release: FreeBSD 4.6.2-RELEASE-p5 i386 >Organization: >Environment: System: FreeBSD pakastelohi.cypherpunks.to 4.6.2-RELEASE-p5 FreeBSD 4.6.2-RELEASE-p5 #0: Tue Dec 31 06:33:55 CET 2002 root@pakastelohi.cypherpunks.to:/usr/obj/usr/src/sys/PAKASTELOHI-20021231 i386 >Description: Even though LINT contains an IPFW foot-shooting warning, the step-by-step instructions on enabling IPFW at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html do not. Consequently, administrators following the above instructions to the letter are likely to lock themselves out of their machines. >How-To-Repeat: >Fix: Apply the following doc patch to /usr/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml *** chapter.sgml.orig Sat Jan 4 07:52:10 2003 --- chapter.sgml Sat Jan 4 08:34:58 2003 *************** *** 2048,2053 **** --- 2048,2067 ---- linkend="kernelconfig">) for more details on how to recompile your kernel. + + Warning + IPFW defaults to a policy of "deny ip from any to any". + If you do not add other rules during startup to allow access, + you will lock yourself out of the server upon + rebooting into a firewall-enabled kernel. It is therefore + suggested that you set firewall_type=open in /etc/rc.conf when first enabling + this feature, then refining the firewall rules in /etc/rc.firewall + after you've tested that the new kernel feature works properly. To be + on the safe side, you may wish to consider performing the initial + firewall configuration from the local console rather than + via ssh. + + There are currently three kernel configuration options relevant to IPFW: >Release-Note: >Audit-Trail: Responsible-Changed-From-To: freebsd-doc->keramida Responsible-Changed-By: keramida Responsible-Changed-When: Sat Jan 4 00:46:08 PST 2003 Responsible-Changed-Why: Refining the patch with Lucky. I'll handle this. http://www.freebsd.org/cgi/query-pr.cgi?pr=46747 State-Changed-From-To: open->closed State-Changed-By: keramida State-Changed-When: Sat Jan 4 01:40:26 PST 2003 State-Changed-Why: Done! Many thanks to Lucky Green for submitting the initial text and reviewing my final version. I hope this saves a few IPFW users from locking themselves out :-) http://www.freebsd.org/cgi/query-pr.cgi?pr=46747 >Unformatted: