Add a <warning> that ipfw can lock everyone out if a kernel with ipfw
support is booted without explicitly setting firewall_type=open in rc.conf or compiling a kernel with IPFIREWALL_DEFAULT_TO_ACCEPT. Also add a short description of IPFIREWALL_DEFAULT_TO_ACCEPT since we reference it in the text now. This part will probably need a bit more work until it's complete. PR: docs/46747 Submitted by: Lucky Green <shamrock@cypherpunks.to>
This commit is contained in:
Giorgos Keramidas
parent
87d70f16d9
commit
30ceb95de2
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=15536
1 changed files with 36 additions and 2 deletions
|
|
@ -2049,7 +2049,26 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
|
||||||
for more details on how to recompile your
|
for more details on how to recompile your
|
||||||
kernel.</para>
|
kernel.</para>
|
||||||
|
|
||||||
<para>There are currently three kernel configuration options relevant to
|
<warning>
|
||||||
|
<para>IPFW defaults to a policy of <literal>deny ip from any to
|
||||||
|
any</literal>. If you do not add other rules during startup to
|
||||||
|
allow access, <emphasis>you will lock yourself out</emphasis> of the
|
||||||
|
server upon rebooting into a firewall-enabled kernel. We suggest
|
||||||
|
that you set <literal>firewall_type=open</literal> in your
|
||||||
|
<filename>/etc/rc.conf</filename> file when first enabling this
|
||||||
|
feature, then refining the firewall rules in
|
||||||
|
<filename>/etc/rc.firewall</filename> after you have tested that the
|
||||||
|
new kernel feature works properly. To be on the safe side, you may
|
||||||
|
wish to consider performing the initial firewall configuration from
|
||||||
|
the local console rather than via
|
||||||
|
<application>ssh</application>. Another option is to build a kernel
|
||||||
|
using both the <literal>IPFIREWALL</literal> and
|
||||||
|
<literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> options. This will
|
||||||
|
change the default rule of IPFW to <literal>allow ip from any to
|
||||||
|
any</literal> and avoid the possibility of a lockout.</para>
|
||||||
|
</warning>
|
||||||
|
|
||||||
|
<para>There are currently four kernel configuration options relevant to
|
||||||
IPFW:</para>
|
IPFW:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
|
|
@ -2093,6 +2112,21 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
|
||||||
logging.</para>
|
logging.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><literal>options IPFIREWALL_DEFAULT_TO_ACCEPT</literal></term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>This changes the default rule action from <quote>deny</quote>
|
||||||
|
to <quote>allow</quote>. This avoids the possibility of locking
|
||||||
|
yourself out if you happen to boot a kernel with
|
||||||
|
<literal>IPFIREWALL</literal> support but have not configured
|
||||||
|
your firewall yet. It is also very useful if you often use
|
||||||
|
&man.ipfw.8; as a filter for specific problems as they arise.
|
||||||
|
Use with care though, as this opens up the firewall and changes
|
||||||
|
the way it works.</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<note><para>Previous versions of FreeBSD contained an
|
<note><para>Previous versions of FreeBSD contained an
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue