Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on

rule 65535

1 files changed, 14 insertions, 2 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index a671b63..da7d95a 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -93,6 +93,17 @@ This rule is the default policy, i.e., don't allow anything at all.
 Your job in setting up rules is to modify this policy to match your
 needs.
 .Pp
+However, if the kernel option
+.Dq IPFIREWALL_DEFAULT_TO_ACCEPT
+is active, the rule is instead:
+.Bd -literal -offset center
+65535 allow all from any to any
+.Ed
+.Pp
+This variation lets everything pass through.  This option should only be
+activated in particular circumstances, such as if your you use the firewall
+system as an on-demand denial-of-service filter that is normally wide open.
+.Pp
 The following options are available:
 .Bl -tag -width flag
 .It Fl a
@@ -107,10 +118,11 @@ While adding or flushing, be quiet about actions (implies '-f').  This is
 useful for adjusting rules by executing multiple ipfw commands in a script
 (e.g. sh /etc/rc.firewall), or by processing a file of many ipfw rules,
 across a remote login session.  If a flush is performed in normal
-(verbose) mode, it prints a message.  Because all rules are flushed, the
+(verbose) mode (with the default kernel configuration), it prints a message.
+Because all rules are flushed, the
 message cannot be delivered to the login session, the login session is
 closed and the remainder of the ruleset is not processed.  Access to the
-console is required to recover. 
+console is required to recover.
 .It Fl t
 While listing, show last match timestamp.
 .It Fl N