From shamrock@pakastelohi.cypherpunks.to  Fri Jan  3 23:53:35 2003
Return-Path: <shamrock@pakastelohi.cypherpunks.to>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C396937B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Jan 2003 23:53:35 -0800 (PST)
Received: from pakastelohi.cypherpunks.to (pakastelohi.cypherpunks.to [213.130.163.34])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 58B3343EA9
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  3 Jan 2003 23:53:35 -0800 (PST)
	(envelope-from shamrock@pakastelohi.cypherpunks.to)
Received: by pakastelohi.cypherpunks.to (Postfix, from userid 1001)
	id 39DA73648A; Sat,  4 Jan 2003 08:53:23 +0100 (CET)
Message-Id: <20030104075323.39DA73648A@pakastelohi.cypherpunks.to>
Date: Sat,  4 Jan 2003 08:53:23 +0100 (CET)
From: Lucky Green <shamrock@cypherpunks.to>
Reply-To: Lucky Green <shamrock@cypherpunks.to>
To: FreeBSD-gnats-submit@freebsd.org
Cc: shamrock@cypherpunks.to
Subject: Handbook: missing IPFW foot-shooting warning
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         46747
>Category:       docs
>Synopsis:       Handbook: missing IPFW foot-shooting warning
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    keramida
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 04 00:00:22 PST 2003
>Closed-Date:    Sat Jan 04 01:43:11 PST 2003
>Last-Modified:  Sat Jan 04 01:43:11 PST 2003
>Originator:     Lucky Green
>Release:        FreeBSD 4.6.2-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD pakastelohi.cypherpunks.to 4.6.2-RELEASE-p5 FreeBSD 4.6.2-RELEASE-p5 #0: Tue Dec 31 06:33:55 CET 2002 root@pakastelohi.cypherpunks.to:/usr/obj/usr/src/sys/PAKASTELOHI-20021231 i386


	
>Description:
	Even though LINT contains an IPFW foot-shooting warning, the step-by-step instructions on enabling IPFW at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html do not. Consequently, administrators following the above instructions to the letter are likely to lock themselves out of their machines.
>How-To-Repeat:
	
>Fix:

Apply the following doc patch to /usr/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml

*** chapter.sgml.orig   Sat Jan  4 07:52:10 2003
--- chapter.sgml        Sat Jan  4 08:34:58 2003
***************
*** 2048,2053 ****
--- 2048,2067 ----
        linkend="kernelconfig">)
        for more details on how to recompile your
        kernel.</para>
+
+       <note><title>Warning</title>
+       <para>IPFW defaults to a policy of "deny ip from any to any".
+       If you do not add other rules during startup to allow access,
+        <emphasis>you will lock yourself out</emphasis> of the server upon
+        rebooting into a firewall-enabled kernel. It is therefore
+        suggested that you set firewall_type=open in /etc/rc.conf when first enabling
+        this feature, then refining the firewall rules in /etc/rc.firewall
+        after you've tested that the new kernel feature works properly. To be
+        on the safe side, you may wish to consider performing the initial
+        firewall configuration from the local console rather than
+        via <application>ssh</application>.
+       </para>
+       </note>

        <para>There are currently three kernel configuration options relevant to
        IPFW:</para>

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->keramida 
Responsible-Changed-By: keramida 
Responsible-Changed-When: Sat Jan 4 00:46:08 PST 2003 
Responsible-Changed-Why:  
Refining the patch with Lucky.  I'll handle this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46747 
State-Changed-From-To: open->closed 
State-Changed-By: keramida 
State-Changed-When: Sat Jan 4 01:40:26 PST 2003 
State-Changed-Why:  
Done!  Many thanks to Lucky Green <shamrock at cypherpunks dot to> 
for submitting the initial text and reviewing my final version. 
I hope this saves a few IPFW users from locking themselves out :-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=46747 
>Unformatted:
