Add a <warning> that ipfw can lock everyone out if a kernel with ipfw

support is booted without explicitly setting firewall_type=open in
rc.conf or compiling a kernel with IPFIREWALL_DEFAULT_TO_ACCEPT.

Also add a short description of IPFIREWALL_DEFAULT_TO_ACCEPT since we
reference it in the text now.  This part will probably need a bit more
work until it's complete.

PR:		docs/46747
Submitted by:	Lucky Green <shamrock@cypherpunks.to>
This commit is contained in:
Giorgos Keramidas 2003-01-04 09:39:47 +00:00
parent 87d70f16d9
commit 30ceb95de2
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=15536

View file

@ -2048,8 +2048,27 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
linkend="kernelconfig">)
for more details on how to recompile your
kernel.</para>
<para>There are currently three kernel configuration options relevant to
<warning>
<para>IPFW defaults to a policy of <literal>deny ip from any to
any</literal>. If you do not add other rules during startup to
allow access, <emphasis>you will lock yourself out</emphasis> of the
server upon rebooting into a firewall-enabled kernel. We suggest
that you set <literal>firewall_type=open</literal> in your
<filename>/etc/rc.conf</filename> file when first enabling this
feature, then refining the firewall rules in
<filename>/etc/rc.firewall</filename> after you have tested that the
new kernel feature works properly. To be on the safe side, you may
wish to consider performing the initial firewall configuration from
the local console rather than via
<application>ssh</application>. Another option is to build a kernel
using both the <literal>IPFIREWALL</literal> and
<literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> options. This will
change the default rule of IPFW to <literal>allow ip from any to
any</literal> and avoid the possibility of a lockout.</para>
</warning>
<para>There are currently four kernel configuration options relevant to
IPFW:</para>
<variablelist>
@ -2093,6 +2112,21 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
logging.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>options IPFIREWALL_DEFAULT_TO_ACCEPT</literal></term>
<listitem>
<para>This changes the default rule action from <quote>deny</quote>
to <quote>allow</quote>. This avoids the possibility of locking
yourself out if you happen to boot a kernel with
<literal>IPFIREWALL</literal> support but have not configured
your firewall yet. It is also very useful if you often use
&man.ipfw.8; as a filter for specific problems as they arise.
Use with care though, as this opens up the firewall and changes
the way it works.</para>
</listitem>
</varlistentry>
</variablelist>
<note><para>Previous versions of FreeBSD contained an