From nobody@www.freebsd.org  Mon Jun 24 19:04:56 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id BFED437B40B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 24 Jun 2002 19:04:53 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5P24rhG052852
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 24 Jun 2002 19:04:53 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5P24r2A052851;
	Mon, 24 Jun 2002 19:04:53 -0700 (PDT)
Message-Id: <200206250204.g5P24r2A052851@www.freebsd.org>
Date: Mon, 24 Jun 2002 19:04:53 -0700 (PDT)
From: Chris Pepper <pepper@mail.rockefeller.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: GENERIC kernel should include ipfw
X-Send-Pr-Version: www-1.0

>Number:         39814
>Category:       kern
>Synopsis:       GENERIC kernel should include ipfw
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 24 19:10:01 PDT 2002
>Closed-Date:    Mon Jun 24 19:17:57 PDT 2002
>Last-Modified:  Mon Jun 24 19:20:01 PDT 2002
>Originator:     Chris Pepper
>Release:        4.6-STABLE
>Organization:
>Environment:
FreeBSD guest.reppep.com 4.6-STABLE FreeBSD 4.6-STABLE #0: Tue Jun 18 21:27:59 EDT 2002     pepper@guest.reppep.com:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
ipfw should be in the GENERIC (default) kernel configuration.

Firewalling shouldn't require a kernel rebuild.

Further, this increases the likelihood of shooting oneself in the foot when activating firewalling, if it's not yet configured properly (over providing a non-restrictive default ruleset, and then tightening it to cause a change).
>How-To-Repeat:
Install 4.5-RELEASE
>Fix:
Add IPFIREWALL (v4) options to GENERIC, and if IPv6 is activated, add IPFIREWALL (v6) options as well.


options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_FORWARD      #enable transparent proxy support
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPV6FIREWALL            #firewall for IPv6
options         IPV6FIREWALL_VERBOSE
options         IPV6FIREWALL_VERBOSE_LIMIT=100
options         IPV6FIREWALL_DEFAULT_TO_ACCEPT

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: billf 
State-Changed-When: Mon Jun 24 19:16:11 PDT 2002 
State-Changed-Why:  
thanks to the joys of kernel modules, firewalling doesn't 
require a kernel rebuild (or reboot). 

man kldload, man ipfw, see src/sys/modules/ipfw/Makefile 

IPFIREWALL_FORWARDing requiring a kernel rebuild is a 
known issues and is being addressed already. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=39814 

From: Larry Rosenman <ler@lerctr.org>
To: Chris Pepper <pepper@mail.rockefeller.edu>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/39814: GENERIC kernel should include ipf
Date: 24 Jun 2002 21:12:29 -0500

 What if someone prefers IPFilter?  
 
 Why change it? 
 
 LER
 -- 
 Larry Rosenman                     http://www.lerctr.org/~ler
 Phone: +1 972-414-9812                 E-Mail: ler@lerctr.org
 US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
 
>Unformatted:
