Add a <warning> that ipfw can lock everyone out if a kernel with ipfw
support is booted without explicitly setting firewall_type=open in rc.conf or compiling a kernel with IPFIREWALL_DEFAULT_TO_ACCEPT. Also add a short description of IPFIREWALL_DEFAULT_TO_ACCEPT since we reference it in the text now. This part will probably need a bit more work until it's complete. PR: docs/46747 Submitted by: Lucky Green <shamrock@cypherpunks.to>
This commit is contained in:
parent
87d70f16d9
commit
30ceb95de2
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=15536
1 changed files with 36 additions and 2 deletions
|
@ -2048,8 +2048,27 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
|
|||
linkend="kernelconfig">)
|
||||
for more details on how to recompile your
|
||||
kernel.</para>
|
||||
|
||||
<para>There are currently three kernel configuration options relevant to
|
||||
|
||||
<warning>
|
||||
<para>IPFW defaults to a policy of <literal>deny ip from any to
|
||||
any</literal>. If you do not add other rules during startup to
|
||||
allow access, <emphasis>you will lock yourself out</emphasis> of the
|
||||
server upon rebooting into a firewall-enabled kernel. We suggest
|
||||
that you set <literal>firewall_type=open</literal> in your
|
||||
<filename>/etc/rc.conf</filename> file when first enabling this
|
||||
feature, then refining the firewall rules in
|
||||
<filename>/etc/rc.firewall</filename> after you have tested that the
|
||||
new kernel feature works properly. To be on the safe side, you may
|
||||
wish to consider performing the initial firewall configuration from
|
||||
the local console rather than via
|
||||
<application>ssh</application>. Another option is to build a kernel
|
||||
using both the <literal>IPFIREWALL</literal> and
|
||||
<literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> options. This will
|
||||
change the default rule of IPFW to <literal>allow ip from any to
|
||||
any</literal> and avoid the possibility of a lockout.</para>
|
||||
</warning>
|
||||
|
||||
<para>There are currently four kernel configuration options relevant to
|
||||
IPFW:</para>
|
||||
|
||||
<variablelist>
|
||||
|
@ -2093,6 +2112,21 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
|
|||
logging.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><literal>options IPFIREWALL_DEFAULT_TO_ACCEPT</literal></term>
|
||||
|
||||
<listitem>
|
||||
<para>This changes the default rule action from <quote>deny</quote>
|
||||
to <quote>allow</quote>. This avoids the possibility of locking
|
||||
yourself out if you happen to boot a kernel with
|
||||
<literal>IPFIREWALL</literal> support but have not configured
|
||||
your firewall yet. It is also very useful if you often use
|
||||
&man.ipfw.8; as a filter for specific problems as they arise.
|
||||
Use with care though, as this opens up the firewall and changes
|
||||
the way it works.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
||||
<note><para>Previous versions of FreeBSD contained an
|
||||
|
|
Loading…
Reference in a new issue