diff options
| author | peter <peter@FreeBSD.org> | 1997-09-10 03:07:14 +0000 |
|---|---|---|
| committer | peter <peter@FreeBSD.org> | 1997-09-10 03:07:14 +0000 |
| commit | 85d28c393b5b832b050e4fc51e0c113811252b1e (patch) | |
| tree | fe137a24465391d0983dbe16ca9c30a1139d52e6 /sys/conf | |
| parent | 74b863965ccdf828063a0b0413c9ee2c9bac138a (diff) | |
| download | FreeBSD-src-85d28c393b5b832b050e4fc51e0c113811252b1e.zip FreeBSD-src-85d28c393b5b832b050e4fc51e0c113811252b1e.tar.gz | |
Allow a compile-time override of the ipfw deny rule. For a 'firewall'
you don't want this (and the documentation explains why), but if you
use ipfw as an as-needed casual filter as needed which normally runs as
'allow all' then having the kernel and /sbin/ipfw get out of sync is a
*MAJOR* pain in the behind.
PR: 4141
Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
Diffstat (limited to 'sys/conf')
| -rw-r--r-- | sys/conf/NOTES | 10 | ||||
| -rw-r--r-- | sys/conf/options | 3 |
2 files changed, 11 insertions, 2 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 9e84fa0..e470f53 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -2,7 +2,7 @@ # LINT -- config file for checking all the sources, tries to pull in # as much of the source tree as it can. # -# $Id: LINT,v 1.362 1997/09/04 23:03:09 yokota Exp $ +# $Id: LINT,v 1.363 1997/09/09 12:40:53 jmg Exp $ # # NB: You probably don't want to try running a kernel built from this # file. Instead, you should start from GENERIC, and add options from @@ -368,6 +368,13 @@ pseudo-device tun 1 #Tunnel driver(user process ppp) # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. +# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to +# allow everything. Use with care, if a cracker can crash your +# firewall machine, they can get to your protected machines. However, +# if you are using it as an as-needed filter for specific problems as +# they arise, then this may be for you. Changing the default to 'allow' +# means that you won't get stuck if the kernel and /sbin/ipfw binary get +# out of sync. # # IPDIVERT enables the divert IP sockets, used by ``ipfw divert'' # @@ -379,6 +386,7 @@ options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about # dropped packets options "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity +options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by defalt options IPDIVERT #divert sockets options TCPDEBUG diff --git a/sys/conf/options b/sys/conf/options index 1857efd..083391e 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -1,4 +1,4 @@ -# $Id: options,v 1.31 1997/06/04 16:44:22 pst Exp $ +# $Id: options,v 1.32 1997/08/19 17:05:23 peter Exp $ # Format: # Option name filename @@ -98,5 +98,6 @@ MROUTING opt_mrouting.h IPFIREWALL opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h +IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h PPP_BSDCOMP opt_ppp.h PPP_DEFLATE opt_ppp.h |
