From hsu@mail.clinet.fi  Mon Jul 21 23:53:09 1997
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA10847
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 21 Jul 1997 23:53:01 -0700 (PDT)
Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4])
	by hauki.clinet.fi (8.8.6/8.8.6) with ESMTP id JAA00638
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 22 Jul 1997 09:52:55 +0300 (EET DST)
Received: (root@localhost) by katiska.clinet.fi (8.8.6/8.6.4) id JAA22970; Tue, 22 Jul 1997 09:52:55 +0300 (EET DST)
Message-Id: <199707220652.JAA22970@katiska.clinet.fi>
Date: Tue, 22 Jul 1997 09:52:55 +0300 (EET DST)
From: Heikki Suonsivu <hsu@mail.clinet.fi>
Reply-To: hsu@mail.clinet.fi
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw default rule should be compile-time option
X-Send-Pr-Version: 3.2

>Number:         4141
>Category:       kern
>Synopsis:       ipfw default rule should be compile-time option
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 22 00:00:03 PDT 1997
>Closed-Date:    Tue Sep 9 20:28:16 PDT 1997
>Last-Modified:  Tue Sep  9 20:29:16 PDT 1997
>Originator:     Heikki Suonsivu
>Release:        FreeBSD 2.2-STABLE i386
>Organization:
Clinet, Espoo, Finland
>Environment:

2.2-STABLE.  Just supped to find out that ipfw kernel interface has changed
and kernel and ipfw have to be changed in sync.

>Description:

ipfw default rule was changed to deny over a year ago.  This is the right
thing in theory, but in practice it has been and still is a pain, causing
configuration mistake or kernel/ipfw command difference always be fatal and
requiring manual attendance.  Fine for pure firewalls and machines which
are not kept current, but we also ipfw for statistics collecting and
network problem solving tool on machines which are otherwise intended to be
open.  This problem particularly harmful with machines which are usually
managed remotely (I have more than 50 scattered around within 450km
radius).

This would be easy to fix by adding kernel compile option which would make
ipfw default rule "allow" instead of "deny".  It would not harm anyone but
would a lifesaver for us.

>How-To-Repeat:

Replace a -stable kernel from a month ago (I think) and -stable kernel from
yesterday sup reboot, in a machine which has rc.firewall as "open".  ipfw
command fails when trying to set default rule to allow, so no networking.

>Fix:
	
>Release-Note:
>Audit-Trail:

From: David Nugent <davidn@labs.usn.blaze.net.au>
To: hsu@mail.clinet.fi
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/4141: ipfw default rule should be compile-time option 
Date: Thu, 24 Jul 1997 20:32:19 +1000

 >  ipfw default rule was changed to deny over a year ago.  This is the right
 >  thing in theory, but in practice it has been and still is a pain, causing
 >  configuration mistake or kernel/ipfw command difference always be fatal and
 >  requiring manual attendance.  Fine for pure firewalls and machines which
 ~
 >  This would be easy to fix by adding kernel compile option which would make
 >  ipfw default rule "allow" instead of "deny".  It would not harm anyone but
 >  would a lifesaver for us.
 >  
 >  >How-To-Repeat:
 >  
 >  Replace a -stable kernel from a month ago (I think) and -stable kernel from
 >  yesterday sup reboot, in a machine which has rc.firewall as "open".  ipfw
 >  command fails when trying to set default rule to allow, so no networking.
 >  
 >  >Fix:
 >  	
 >  >Audit-Trail:
 >  >Unformatted:
 >  
 
 
 Since Joerg is on holidays, I'll make his standard reply to this sort
 of request:
 
 Your email seemed to be truncated at this point, as the patch adding
 this feature was missing. Could you please resend?  :-)
 
 Regards,
 David
 
 PS: Yes, I think this is worth doing too. This would allow a remote
 booted machine with an nfs-mounted root filesystem to run the filewall
 code as well.
 
 -- 
 David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
 Voice +61-3-9791-9547  Data/BBS +61-3-9792-3507  3:632/348@fidonet
 davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
 

From: Heikki Suonsivu <hsu@mail.clinet.fi>
To: David Nugent <davidn@labs.usn.blaze.net.au>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: kern/4141: ipfw default rule should be compile-time option
Date: Sat, 26 Jul 1997 18:32:14 +0300 (EET DST)

     >  ipfw default rule was changed to deny over a year ago.  This is the right
     >  thing in theory, but in practice it has been and still is a pain, causing
     >  configuration mistake or kernel/ipfw command difference always be fatal and
     >  requiring manual attendance.  Fine for pure firewalls and machines which
     ~
     >  This would be easy to fix by adding kernel compile option which would make
     >  ipfw default rule "allow" instead of "deny".  It would not harm anyone but
     >  would a lifesaver for us.
 
     Since Joerg is on holidays, I'll make his standard reply to this sort
     of request:
 
     Your email seemed to be truncated at this point, as the patch adding
     this feature was missing. Could you please resend?  :-)
 
 NOTE! Before committing this check it through first and try it, I'm neither
 an experienced kernel hacker nor I'm familiar with ipfw internals.  I have
 only tested it with one machine and it seemed to make things open by
 default.
 
 Please let me know if it gets committed and possible changes.
 
 ------------------
 Index: ip_fw.c
 ===================================================================
 RCS file: /usr/CVS/src/sys/netinet/ip_fw.c,v
 retrieving revision 1.51.2.3
 diff -c -r1.51.2.3 ip_fw.c
 *** ip_fw.c	1997/06/20 23:05:33	1.51.2.3
 --- ip_fw.c	1997/07/26 14:48:39
 ***************
 *** 936,953 ****
   void
   ip_fw_init(void)
   {
 ! 	struct ip_fw deny;
   
   	ip_fw_chk_ptr = ip_fw_chk;
   	ip_fw_ctl_ptr = ip_fw_ctl;
   	LIST_INIT(&ip_fw_chain);
   
 ! 	bzero(&deny, sizeof deny);
 ! 	deny.fw_prot = IPPROTO_IP;
 ! 	deny.fw_number = (u_short)-1;
 ! 	deny.fw_flg |= IP_FW_F_DENY;
 ! 	deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
 ! 	if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny))
   		panic(__FUNCTION__);
   
   	printf("IP packet filtering initialized, "
 --- 936,957 ----
   void
   ip_fw_init(void)
   {
 ! 	struct ip_fw default_rule;
   
   	ip_fw_chk_ptr = ip_fw_chk;
   	ip_fw_ctl_ptr = ip_fw_ctl;
   	LIST_INIT(&ip_fw_chain);
   
 ! 	bzero(&default_rule, sizeof default_rule);
 ! 	default_rule.fw_prot = IPPROTO_IP;
 ! 	default_rule.fw_number = (u_short)-1;
 ! #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
 ! 	default_rule.fw_flg |= IP_FW_F_ACCEPT;
 ! #else
 ! 	default_rule.fw_flg |= IP_FW_F_DENY;
 ! #endif
 ! 	default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
 ! 	if (check_ipfw_struct(&default_rule) == NULL || add_entry(&ip_fw_chain, &default_rule))
   		panic(__FUNCTION__);
   
   	printf("IP packet filtering initialized, "
 ***************
 *** 955,960 ****
 --- 959,967 ----
   		"divert enabled, ");
   #else
   		"divert disabled, ");
 + #endif
 + #ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
 + 	printf("default to accept, ");
   #endif
   #ifndef IPFIREWALL_VERBOSE
   	printf("logging disabled\n");
 -----------
 
 Index: LINT
 ===================================================================
 RCS file: /usr/CVS/src/sys/i386/conf/LINT,v
 retrieving revision 1.286.2.25
 diff -c -r1.286.2.25 LINT
 *** LINT	1997/06/28 09:32:15	1.286.2.25
 --- LINT	1997/07/26 14:43:14
 ***************
 *** 335,340 ****
 --- 335,341 ----
   					# dropped packets
   options		"IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity
   options		IPDIVERT		#divert sockets
 + options		IPFIREWALL_DEFAULT_TO_ACCEPT # allow everything by default
   options		TCPDEBUG
   
   
 
 ------------
 
     Regards,
     David
 
     PS: Yes, I think this is worth doing too. This would allow a remote
     booted machine with an nfs-mounted root filesystem to run the filewall
     code as well.
 
     -- 
     David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
     Voice +61-3-9791-9547  Data/BBS +61-3-9792-3507  3:632/348@fidonet
     davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/
 
 -- 
 Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
 mobile +358-40-5519679 work +358-9-43542270 fax -4555276
State-Changed-From-To: open->closed 
State-Changed-By: peter 
State-Changed-When: Tue Sep 9 20:28:16 PDT 1997 
State-Changed-Why:  
Suggested changes applied, thanks! 
Revision  Changes    Path 
1.33      +2 -1      src/sys/conf/options 
1.364     +9 -1      src/sys/i386/conf/LINT 
1.63      +16 -8     src/sys/netinet/ip_fw.c 
>Unformatted:
