From 30ceb95de2e5918b8ccfcb57f12b2564eb79f425 Mon Sep 17 00:00:00 2001
From: Giorgos Keramidas <keramida@FreeBSD.org>
Date: Sat, 4 Jan 2003 09:39:47 +0000
Subject: [PATCH] Add a <warning> that ipfw can lock everyone out if a kernel
 with ipfw support is booted without explicitly setting firewall_type=open in
 rc.conf or compiling a kernel with IPFIREWALL_DEFAULT_TO_ACCEPT.

Also add a short description of IPFIREWALL_DEFAULT_TO_ACCEPT since we
reference it in the text now.  This part will probably need a bit more
work until it's complete.

PR:		docs/46747
Submitted by:	Lucky Green <shamrock@cypherpunks.to>
---
 .../books/handbook/security/chapter.sgml      | 38 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index fd2e177eed..f8cb0ebd5f 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -2048,8 +2048,27 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 	linkend="kernelconfig">)
 	for more details on how to recompile your
 	kernel.</para>
-      
-      <para>There are currently three kernel configuration options relevant to
+
+      <warning>
+	<para>IPFW defaults to a policy of <literal>deny ip from any to
+	  any</literal>.  If you do not add other rules during startup to
+	  allow access, <emphasis>you will lock yourself out</emphasis> of the
+	  server upon rebooting into a firewall-enabled kernel.  We suggest
+	  that you set <literal>firewall_type=open</literal> in your
+	  <filename>/etc/rc.conf</filename> file when first enabling this
+	  feature, then refining the firewall rules in
+	  <filename>/etc/rc.firewall</filename> after you have tested that the
+	  new kernel feature works properly.  To be on the safe side, you may
+	  wish to consider performing the initial firewall configuration from
+	  the local console rather than via
+	  <application>ssh</application>.  Another option is to build a kernel
+	  using both the <literal>IPFIREWALL</literal> and
+	  <literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> options.  This will
+	  change the default rule of IPFW to <literal>allow ip from any to
+	  any</literal> and avoid the possibility of a lockout.</para>
+      </warning>
+
+      <para>There are currently four kernel configuration options relevant to
 	IPFW:</para>
 	  
       <variablelist>
@@ -2093,6 +2112,21 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 	      logging.</para>
 	  </listitem>
 	</varlistentry>
+
+	<varlistentry>
+	  <term><literal>options IPFIREWALL_DEFAULT_TO_ACCEPT</literal></term>
+
+	  <listitem>
+	    <para>This changes the default rule action from <quote>deny</quote>
+	      to <quote>allow</quote>.  This avoids the possibility of locking
+	      yourself out if you happen to boot a kernel with
+	      <literal>IPFIREWALL</literal> support but have not configured
+	      your firewall yet.  It is also very useful if you often use
+	      &man.ipfw.8; as a filter for specific problems as they arise.
+	      Use with care though, as this opens up the firewall and changes
+	      the way it works.</para>
+	  </listitem>
+	</varlistentry>
       </variablelist>
       
       <note><para>Previous versions of FreeBSD contained an