diff options
author | dillon <dillon@FreeBSD.org> | 2002-06-25 02:34:24 +0000 |
---|---|---|
committer | dillon <dillon@FreeBSD.org> | 2002-06-25 02:34:24 +0000 |
commit | a1c22f015e24d011ec3ce92cb0e3af01e32c72f7 (patch) | |
tree | c594a051f4252871e47cfb2ef3ab5fe5884fa01e /share | |
parent | ea2f279985fab9e78b84a3a3e6ded69f58ec0df7 (diff) | |
download | FreeBSD-src-a1c22f015e24d011ec3ce92cb0e3af01e32c72f7.zip FreeBSD-src-a1c22f015e24d011ec3ce92cb0e3af01e32c72f7.tar.gz |
update the firewall documentation to cover the fact that ipfw can be
loaded as a module.
PR: kern/39814
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man7/firewall.7 | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/share/man/man7/firewall.7 b/share/man/man7/firewall.7 index eea0fde..602c617 100644 --- a/share/man/man7/firewall.7 +++ b/share/man/man7/firewall.7 @@ -60,11 +60,15 @@ a TCP reset for the connection attempt rather then simply blackholing the packet. We cover these and other quirks involved with constructing a firewall in the sample firewall section below. .Sh IPFW KERNEL CONFIGURATION -To use the ip firewall features of +You do not need to create a customer kernel to use the IP firewalling features. +If you enable firewalling in your +.Em /etc/rc.conf +(see below), the ipfw kernel module will be loaded automatically. However, +if you are paranoid you can compile IPFW directly into the .Fx -you must create a custom kernel with the +kernel by using the .Sy IPFIREWALL -option set. The kernel defaults its firewall to deny all +option set. If compiled in the kernel defaults its firewall to deny all packets by default, which means that if you do not load in a permissive ruleset via .Em /etc/rc.conf , @@ -80,13 +84,13 @@ boot sequence, also resulting in an inaccessible machine. Because of these problems the .Sy IPFIREWALL_DEFAULT_TO_ACCEPT kernel option is also available which changes the default firewall -to pass through all packets. Note, however, that this is a very -dangerous option to set because it means your firewall is disabled -during booting. You should use this option while getting up to -speed with +to pass through all packets. Note, however, that using this option +may open a small window of opportunity during booting where your +firewall passes all packets. Still, it's a good option to use +while getting up to speed with .Fx -firewalling, but get rid of it once you understand how it all works -to close the loophole. There is a third option called +firewalling. Get rid of it once you understand how it all works +to close the loophole, though. There is a third option called .Sy IPDIVERT which allows you to use the firewall to divert packets to a user program and is necessary if you wish to use |