diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index fd2e177eed..f8cb0ebd5f 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -2048,8 +2048,27 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen> linkend="kernelconfig">) for more details on how to recompile your kernel.</para> - - <para>There are currently three kernel configuration options relevant to + + <warning> + <para>IPFW defaults to a policy of <literal>deny ip from any to + any</literal>. If you do not add other rules during startup to + allow access, <emphasis>you will lock yourself out</emphasis> of the + server upon rebooting into a firewall-enabled kernel. We suggest + that you set <literal>firewall_type=open</literal> in your + <filename>/etc/rc.conf</filename> file when first enabling this + feature, then refining the firewall rules in + <filename>/etc/rc.firewall</filename> after you have tested that the + new kernel feature works properly. To be on the safe side, you may + wish to consider performing the initial firewall configuration from + the local console rather than via + <application>ssh</application>. Another option is to build a kernel + using both the <literal>IPFIREWALL</literal> and + <literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> options. This will + change the default rule of IPFW to <literal>allow ip from any to + any</literal> and avoid the possibility of a lockout.</para> + </warning> + + <para>There are currently four kernel configuration options relevant to IPFW:</para> <variablelist> @@ -2093,6 +2112,21 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen> logging.</para> </listitem> </varlistentry> + + <varlistentry> + <term><literal>options IPFIREWALL_DEFAULT_TO_ACCEPT</literal></term> + + <listitem> + <para>This changes the default rule action from <quote>deny</quote> + to <quote>allow</quote>. This avoids the possibility of locking + yourself out if you happen to boot a kernel with + <literal>IPFIREWALL</literal> support but have not configured + your firewall yet. It is also very useful if you often use + &man.ipfw.8; as a filter for specific problems as they arise. + Use with care though, as this opens up the firewall and changes + the way it works.</para> + </listitem> + </varlistentry> </variablelist> <note><para>Previous versions of FreeBSD contained an